We use ansible to set up all systems. Configuration isn’t a problem.
On Jun 20, 2022, at 9:05 PM, Fraser Tweedale
<ftweedal(a)redhat.com> wrote:
On Mon, Jun 20, 2022 at 07:49:16PM +0000, Charles Hedrick wrote:
> Keeping our own certificates up to date on the various types of
> clients is messy enough that we gave up on that.
>
> The only thing we would actually use it for is kinit -n, to
> bootstrap kinit for OTP. While kinit -n would be the most elegant
> way to do it, we have several other approaches.
>
> Documentation seems to say that if pkinit_eku_checking is set to
> kpServerAuth, we don't need the extension. I've found that kinit
> -n actually does work when the client sets this. However I have to
> install the certificates manually on the KDC, since the command
> won't do it.
This approach substitutes a certificate distribution requirement
with a config distribution requirement. Every client would have to
accept the certificate with id-kp-serverAuth instead of
id-pkinit-KPKdc** - non-default behaviour which does not conform to
RFC 4556. Some client implementations might not have a workaround.
This workaround might be acceptable for your environment. In
general, accepting certificates that do not conform to the
requirements of RFC 4556 introduces a substantial risk of FreeIPA
administrators misconfiguring their environment.
Rob & Michal, perhaps this can be considered as an RFE: to relax
this requirement via a flag, accompanied by ample warnings?
** id-pkinit-KPKdc is not required if the krbtgt/REALM principal
name appears in a id-pkinit-san otherName SAN value. But public
CAs will not include that either.
Thanks,
Fraser
> ________________________________
> From: Fraser Tweedale <ftweedal(a)redhat.com>
> Sent: Sunday, June 19, 2022 11:34 PM
> To: Charles Hedrick <hedrick(a)rutgers.edu>; Rob Crittenden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
> Cc: Rob Crittenden <rcritten(a)redhat.com>
> Subject: Re: [Freeipa-users] Re: ipa-server-certinstall -k
>
>> On Wed, Jun 15, 2022 at 04:23:30PM -0400, Rob Crittenden via FreeIPA-users
wrote:
>> Charles Hedrick via FreeIPA-users wrote:
>>> the error is
>>>
>>> The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a
KDC
>>
>> A PKINIT certificate needs an EKU extension,
>>
https://datatracker.ietf.org/doc/html/rfc4556
>>
>> When generating the key with OpenSSL you need to include "-extensions
>> kdc_cert"
>>
> It's unlikely that publicly trusted CAs will issue certs with
> id-pkinit-KPKdc in EKU. CABForum Baseline Requirements[1]
> 7.1.2.3(f) says:
>
> Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth
> [RFC5280] or both values MUST be present. id-kp-emailProtection
> [RFC5280] MAY be present. Other values SHOULD NOT be present.
>
> [1]:
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf
>
> Charles, you might need to use a certificate issued directly by the
> IPA CA for your KDC, or else do without PKINIT.
>
> Thanks,
> Fraser
>
>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Charles Hedrick via FreeIPA-users
>>> <freeipa-users(a)lists.fedorahosted.org>
>>> *Sent:* Wednesday, June 15, 2022 3:39 PM
>>> *To:* freeipa-users(a)lists.fedorahosted.org
>>> <freeipa-users(a)lists.fedorahosted.org>
>>> *Cc:* Charles Hedrick <hedrick(a)rutgers.edu>
>>> *Subject:* [Freeipa-users] ipa-server-certinstall -k
>>>
>>> ipa-server-certinstall works fine for http and ldap. But I can't get
the
>>> -k option to work.
>>>
>>> I've tried cert.pem and privkey.pem with and without chain.pem, as well
>>> as fullchain.pem and privkey.pem (fullchain has both the cert and the
>>> chain).
>>>
>>> The certs were issued by Internet2, which chains up to addtrust.
>>>
>>> kinit -n works fine if I install the pem files manually, so presumably
>>> my files are valid.
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>