On pe, 17 huhti 2020, Rob Crittenden via FreeIPA-users wrote:
Henery Hawk via FreeIPA-users wrote:
> I've tinkered with FreeIPA a while ago when I was investigating
> various ways to control WiFi access but have not been very active
> lately with it.
>
> I have a new topic that popped up where I need to create user
> certificates for access to a specific web site hosted behind an Nginx
> Reverse Proxy.
>
> I have manually created a (forgive my incorrect terms) ca cert and
> pointed nginx to it and then I created user certs for each user that
> needs to be granted access. This was done manually using openssh in
> the pilot phase.
>
> Would FreeIPA be able to do this at scale? I see some chatter about
> FreeIPA 4.x introducing user certs, but that chatter hasn't
> specifically covered how to get the master ca cert linked to
> nginx/apache.
>
> The noob question might be useful for someone doing similar research.
> I am not mission critical in this investigation, just trying to
> minimize my manual management of user certs.
The procedure for IPA wouldn't be that different than any other PKI:
- create a CA
- issue a web server cert from that CA
- issue user certs from that CA
- profit!
To do it in IPA you'd do something like:
- install IPA (you get a CA with that, using ipa-server-install)
- enroll your web host as an IPA client (ipa-client-install)
- create the service HTTP/web.example.com
- on
web.example.com use ipa-getcert to request a certificate with -K
HTTP/web.example.com along with the other options specific to the host
- The IPA CA chain is in /etc/ipa/ca.crt, you can point your web server
config to that for the CA path
- Create users in IPA
- issue user certs for those users
This still glosses over some of the details but it should point you in
the right direction.
You can see a sample application setup at
https://github.com/adelton/webauthinfra
It is fully integrated, demonstrating also authentication via SAML or
OpenID Connect or Kerberos:
HTTP with auth
+----------+ HTTP +------------------+ result +-------------+
| Browser | ----------> | Web server | -----------> | Application |
| "client" | <---------- + with authn/authz | <---------- |
"app" |
+----------+ Negotiate | setup | application +-------------+
| or | "www" | content
| redirect +------------------+
|
\ Kerberos +---------+
| ----------> | FreeIPA |
| | "ipa" |
| or SAML +---------+
| or OpenID +-----------------+
\ Connect | SAML IdP or |
-----------> | OpenID Provider |
redirects | "idp" |
+-----------------+
The only change for your use case would be to make sure the 'www' setup
is enhanced to allow client certificate authentication similar to this
block in FreeIPA's configuration:
https://pagure.io/freeipa/blob/master/f/install/share/ipa.conf.template#_114
The latter allows to authenticate by client certificate and transform
that authentication into Kerberos ticket by help of S4U2Self protocol
transition so that application behind the authn/authz 'www' server
doesn't need to know how exactly authentication happened. All it would
see is that authn succeeded, there are environmental attributes set and
so on.
This all assumes Apache stack, not NGINX (there is no mod_auth_gssapi
analogue to NGINX).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland