Difference between revisions of "Directory-Authenticated Profiles"

From Dogtag
Jump to: navigation, search
m (Importing the Renewed Certificate)
m (Preparing LDAP Server)
Line 13: Line 13:
  
 
<pre>
 
<pre>
$ ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF
+
$ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
 
dn: uid=testuser,ou=People,dc=example,dc=com
 
dn: uid=testuser,ou=People,dc=example,dc=com
 
objectClass: person
 
objectClass: person
Line 28: Line 28:
  
 
<pre>
 
<pre>
$ ldapsearch -x -D "uid=testuser,ou=People,dc=example,dc=com" -w Secret.123 \
+
$ ldapsearch -h $HOSTNAME -x -D "uid=testuser,ou=People,dc=example,dc=com" -w Secret.123 \
 
     -b "dc=example,dc=com" "(objectClass=*)"
 
     -b "dc=example,dc=com" "(objectClass=*)"
 
</pre>
 
</pre>

Revision as of 17:03, 15 January 2020

Overview

This document describes how to use directory-authenticated profiles:

  • caDirUserCert: Dual-Use User Certificate Enrollment
  • caECDirUserCert: Dual-Use ECC User Certificate Enrollment
  • caDirUserRenewal: User Certificate Self-Renewal

It assumes that the CA is already installed.

Preparing LDAP Server

Make sure the LDAP server has a user with a password:

$ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: uid=testuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User
userPassword: Secret.123
EOF

Verify using the following command:

$ ldapsearch -h $HOSTNAME -x -D "uid=testuser,ou=People,dc=example,dc=com" -w Secret.123 \
    -b "dc=example,dc=com" "(objectClass=*)"

Configuring PKI Server

By default the directory-authenticated profiles are configured with UserDirEnrollment authentication manager:

auth.instance_id=UserDirEnrollment

Add the UserDirEnrollment authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb
auths.instance.UserDirEnrollment.ldap.ldapconn.host=server.example.com
auths.instance.UserDirEnrollment.ldap.ldapconn.port=389
auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false

Customize the profiles as needed in /var/lib/pki/pki-tomcat/ca/profiles/ca/ folder. To simplify testing the validity range can be changed to 30 days:

policyset.userCertSet.2.default.params.range=30

Restart PKI server:

$ systemctl restart pki-tomcatd@pki-tomcat.service

Preparing PKI Client

Create a new client NSS database if necessary:

$ pki -c Secret.123 client-init
------------------
Client initialized
------------------

Enrollment

Simplified Process

Execute the following command to submit the enrollment request. It will prompt for the LDAP password:

$ pki -U https://$HOSTNAME:8443 -c Secret.123 client-cert-request \
    --profile caDirUserCert --username testuser --password
Password: ********
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 16
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0xc

The certificate will be issued immediately.

Manual Process

Generate a CSR:

$ PKCS10Client -d ~/.dogtag/nssdb -p Secret.123 -a rsa -l 1024 -o testuser.csr \
    -n "UID=testuser"
PKCS10Client: Debug: got token.
PKCS10Client: Debug: thread token set.
PKCS10Client: token Internal Key Storage Token logged in...
PKCS10Client: key pair generated.
PKCS10Client: pair.getPublic() called.
PKCS10Client: CertificationRequestInfo() created.
PKCS10Client: CertificationRequest created.
PKCS10Client: calling Utils.b64encode.
PKCS10Client: b64encode completes.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPEcxFJBu2lNmIS+MNaZKO43h0dIhKZWZ8wEomQc
tc9guIUGM5eFU+psj6n0XQCPMIVRe7mrzYHF8mlwAp416P5/97g9U6JOKkTXc5ia
HVE1JRhykHiQ17Lp7Y6xXxfe6xKAXDoLOPJ4fNdadtbVeIGjudWktjgwh5CQBXsA
GFP5AgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQAXrm979HwcG63Z64u+aybYrfOgyWxQ4kTtCA+NKYge
HC6Z/mlb10J/wggOzrHUbE4IFyjbBo2k1FKe8zYcXIB6Ok5Z0TXueR1zKcb8hE35
o9dkH2sGJsSqMLN8NRyY5QeqOKmtaX8pm1aPhJ0wkvOYou52YqJdq6LF9KXmBGOH
hA==

-----END NEW CERTIFICATE REQUEST-----
PKCS10Client: done. Request written to file: testuser.csr

Get the request template:

$ pki ca-cert-request-profile-show caDirUserCert --output testuser.xml

Edit the request file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
    <Attributes>
        <Attribute name="uid">testuser</Attribute>
        <Attribute name="pwd">Secret.123</Attribute>
    </Attributes>
    <ProfileID>caDirUserCert</ProfileID>
    <Renewal>false</Renewal>
    <SerialNumber></SerialNumber>
    <RemoteHost></RemoteHost>
    <RemoteAddress></RemoteAddress>
    <Input id="i1">
        <ClassID>keyGenInputImpl</ClassID>
        <Name>Key Generation</Name>
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
            <Descriptor>
                <Syntax>keygen_request_type</Syntax>
                <Description>Key Generation Request Type</Description>
            </Descriptor>
        </Attribute>
        <Attribute name="cert_request">
            <Value>
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBfTCB5wIBADAaMRgwFgYKCZImiZPyLGQBARMIdGVzdHVzZXIwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALvbVD1U6nzYh61tjjKC24mBqeKjABpEpl5CqyrT
guX5PtHdrlOUbWOro8vNzXMWccm3IVEgJHTQyQdxenIkIGcwMXu9XlwI6zph1UaT
oJ1CRh8z2Tn5Ncg6LvOejDJg+XtKEXEOTq0qzztBXTEe9uuKYb9AKc6iSmtfM7ZO
nCZPAgMBAAGgJDAiBggrBgEFBQcHFzEWBBTmaclfLv+kkK5z5kTMP54dlnecUDAN
BgkqhkiG9w0BAQQFAAOBgQBeVpuaZ1Sr1tHznU/0xSQ3OvEd3poJ0mk44KRYFdwu
NbeZaGtvhYFwLfQH0mMOWrzvrh0a2eXWC8z51iuqvNJCHDX+rUGIYpZH8mtY3jMp
8mlDWClrcpAdmJTj0ztFggmBd0Zvl4EqPqp0SY5YYLxwEwcKXT/g8bDdS5UM68hq
QA==

-----END NEW CERTIFICATE REQUEST-----
            </Value>
            <Descriptor>
                <Syntax>keygen_request</Syntax>
                <Description>Key Generation Request</Description>
            </Descriptor>
        </Attribute>
    </Input>
</CertEnrollmentRequest>

Submit the request:

$ pki -U https://$HOSTNAME:8443 -c Secret.123 ca-cert-request-submit testuser.xml
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 16
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0xc

The certificate will be issued immediately.

Importing the Certificate

Import the new certificate into the client's NSS database by providing a new nickname and the serial number:

$ pki -c Secret.123 client-cert-import testuser --serial 0xc
-------------------------------
Imported certificate "testuser"
-------------------------------

Verify with the following command:

$ pki -c Secret.123 client-cert-find
----------------------
2 certificate(s) found
----------------------
  Serial Number: 0x1
  Nickname: CA Signing Certificate - EXAMPLE
  Subject DN: CN=CA Signing Certificate,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE

  Serial Number: 0xc
  Nickname: testuser
  Subject DN: UID=testuser,OU=People,DC=example,DC=com
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
----------------------------
Number of entries returned 2
----------------------------

Renewal

Self-Renewal

Execute the following command to submit the renewal request. It will prompt for the LDAP password:

$ pki -U https://$HOSTNAME:8443 -c Secret.123 -n testuser client-cert-request \
    --profile caDirUserRenewal --username testuser --password
Password: ********
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 23
  Type: renewal
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x11

The certificate will be issued immediately.

Importing the Renewed Certificate

Remove the old certificate from the client NSS database:

$ pki -c Secret.123 client-cert-del testuser
------------------------------
Removed certificate "testuser"
------------------------------

Import the new certificate into the client NSS database:

$ pki -c Secret.123 client-cert-import testuser --serial 0x11
-------------------------------
Imported certificate "testuser"
-------------------------------

Verify with the following command:

$ pki -c Secret.123 client-cert-find
----------------------
2 certificate(s) found
----------------------
  Serial Number: 0x1
  Nickname: CA Signing Certificate - EXAMPLE
  Subject DN: CN=CA Signing Certificate,O=EXAMPLE
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE

  Serial Number: 0x11
  Nickname: testuser
  Subject DN: UID=testuser,OU=People,DC=example,DC=com
  Issuer DN: CN=CA Signing Certificate,O=EXAMPLE
----------------------------
Number of entries returned 2
----------------------------

References