Hello List, I'm testing SSL decryption on a firewall. The self signed CA Cert and private signing key that I started testing with are generated on the firewall it self which works. So I am now trying to figure out how to generate a Sub CA with it's own private signing key to be imported to the firewall. I'm not having any luck figuring out how to create a CA with it's own key?
Is this possible? If so can someone help me with this task?
Thanks, Ralph
On Mon, Apr 08, 2019 at 06:01:53PM -0000, Ralph Crongeyer via FreeIPA-users wrote:
Hello List,
I'm testing SSL decryption on a firewall. The self signed CA Cert and private signing key that I started testing with are generated on the firewall it self which works. So I am now trying to figure out how to generate a Sub CA with it's own private signing key to be imported to the firewall. I'm not having any luck figuring out how to create a CA with it's own key?
Is this possible? If so can someone help me with this task?
Thanks, Ralph
Hi Ralph,
It's not really clear how this question relates to FreeIPA - especially because you mention generate CA keys and self-signed certs on a firewall system/device. Could you please give more details about what you are trying to do, and now it relates to FreeIPA?
Thanks, Fraser
Hi Fraser, Sure thing. I was just pointing out that for testing we used the keys generated on the FW for testing. Now we would like to use FreeIPA as the CA for the FW's. So I am trying to figure out how best to go about this using FreeIPA. What I am trying to do is to create a sub CA cert and it's signing key on FreeIPA and then export those from FreeIPA for use on the FW's.
Hope that makes more sense.
Ralph
On Tue, Apr 09, 2019 at 12:17:17PM -0000, Ralph Crongeyer via FreeIPA-users wrote:
Hi Fraser, Sure thing. I was just pointing out that for testing we used the keys generated on the FW for testing. Now we would like to use FreeIPA as the CA for the FW's. So I am trying to figure out how best to go about this using FreeIPA. What I am trying to do is to create a sub CA cert and it's signing key on FreeIPA and then export those from FreeIPA for use on the FW's.
Hope that makes more sense.
Why does the firewall need a CA signing certificate? Are you going to be MITMing your users' TLS?
Anyhow, you should generate the keys and CSR on the system that will be the sub-CA. Then follow the procedure outlined in my blog post for creating a sub-CA profile and issuing sub-CA certificate: https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinat...
If you only need service certificates for the firewall, just create the keys and CSRs on the firewall machine, and submit them as you would any other service certificate.
HTH, Fraser
freeipa-users@lists.fedorahosted.org