IPA Certificates

From Dogtag
Jump to: navigation, search


This page describes the PKI certificates used by IPA.

Certificate Profiles

IPA uses the following certificate profiles:

  • caCACert
  • caOCSPCert
  • caSignedLogCert
  • caSubsystemCert
  • caServerCert
  • AdminCert
  • caIPAServiceCert

DS Certificates

DS certificates are stored in /etc/dirsrv/slapd-<REALM>:

  • <REALM> IPA CA (CN=Certificate Authority)
  • Server-Cert

PKI Certificates

PKI certificates are stored in /var/lib/pki/pki-tomcat/alias and tracked by IPA:

  • caSigningCert cert-pki-ca (CN=Certificate Authority)
  • Server-Cert cert-pki-ca (CN=<hostname>)
  • subsystemCert cert-pki-ca (CN=CA Subsystem)
  • ocspSigningCert cert-pki-ca (CN=OCSP Subsystem)
  • auditSigningCert cert-pki-ca (CN=CA Audit)
  • storageCert cert-pki-kra (CN=KRA Storage Certificate)
  • transportCert cert-pki-kra (CN=KRA Transport Certificate)
  • auditSigningCert cert-pki-kra (CN=KRA Audit)
  • caSigningCert External CA

The CA certificates are also stored in /root/cacert.p12:

  • caSigningCert cert-pki-ca
  • ocspSigningCert cert-pki-ca
  • subsystemCert cert-pki-ca
  • auditSigningCert cert-pki-ca

The KRA certificates are also stored in /root/kracert.p12:

  • transportCert cert-pki-kra
  • storageCert cert-pki-kra
  • subsystemCert cert-pki-ca
  • auditSigningCert cert-pki-kra

PKI Admin Certificate

PKI admin certificate is stored in several locations:

  • /root/ca-agent.p12 with nickname ipa-ca-agent (misleading nickname).
  • /root/.dogtag/pki-tomcat/ca_admin.cert
  • /root/.dogtag/pki-tomcat/ca_admin.cert.der
  • /root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to /root/ca-agent.p12)

PKI Agent Certificate

PKI agent certificate is stored in /etc/httpd/alias and tracked by IPA:

  • ipaCert (CN=IPA RA)

For IPA Password Vault the certificate is exported and cached into /etc/httpd/alias/kra-agent.pem since python-requests does not support NSS. The cache is invalidated if the KRA authentication fails.

IPA Certificates

IPA certificates are stored in /etc/httpd/alias:

  • <REALM> IPA CA (CN=Certificate Authority)
  • <External CA DN>
  • ipa-ca-agent (CN=ipa-ca-agent)
  • ipaCert (CN=IPA RA)
  • Signing-Cert (CN=Object Signing Cert)