Hello everybody,
I am looking for a way to digitally sign documents by end-users within an organisation.
I can add a certificate to every user with our IPA user-add-cert system.
I can use SSSD clients to pull up te certificate.
org.freedesktop.sssd.infopipe.Users.FindByCertificate
Is there a way to integrate SSSD user certificates into the Mozilla Certificate Manager?
https://www.freeipa.org/page/V4/User_Certificates
https://help.libreoffice.org/6.1/he/text/shared/guide/digitalsign_send.html
Has anybody otherwise done this with CAcert? or intergrate CAcert certificates into ipa user-add-cert?
Kind regards,
Jelle de Jong
Am Thu, Jun 01, 2023 at 02:18:40PM +0200 schrieb Jelle de Jong via FreeIPA-users:
Hello everybody,
I am looking for a way to digitally sign documents by end-users within an organisation.
Hi,
correct me if I'm wrong, but to my understanding the certificate is not sufficient for a digital signature because this requires the private key and the certificate will only contain the public key for others to verify your signature.
bye, Sumit
I can add a certificate to every user with our IPA user-add-cert system.
I can use SSSD clients to pull up te certificate.
org.freedesktop.sssd.infopipe.Users.FindByCertificate
Is there a way to integrate SSSD user certificates into the Mozilla Certificate Manager?
https://www.freeipa.org/page/V4/User_Certificates
https://help.libreoffice.org/6.1/he/text/shared/guide/digitalsign_send.html
Has anybody otherwise done this with CAcert? or intergrate CAcert certificates into ipa user-add-cert?
Kind regards,
Jelle de Jong _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 6/1/23 15:18, Sumit Bose via FreeIPA-users wrote:
Am Thu, Jun 01, 2023 at 02:18:40PM +0200 schrieb Jelle de Jong via FreeIPA-users:
Hello everybody,
I am looking for a way to digitally sign documents by end-users within an organisation.
Hi,
correct me if I'm wrong, but to my understanding the certificate is not sufficient for a digital signature because this requires the private key and the certificate will only contain the public key for others to verify your signature.
I agree with you, I can not figure out where FreeIPA would store the users private key?
However it does mention S/MIME signing support, and also not sure if these wiki pages are a draft of future features.
https://www.freeipa.org/page/V4/User_Certificates#S.2FMIME_and_User_Signing_...
https://www.freeipa.org/page/V4/Sub-CAs
https://www.freeipa.org/page/V4/Certificate_Profiles
Does someone know if I can use FreeIPA as RootCA to and create new user private/public key pairs and store them in FreeIPA and retrieve them with SSSD?
I can add a certificate to every user with our IPA user-add-cert system.
I can use SSSD clients to pull up te certificate.
org.freedesktop.sssd.infopipe.Users.FindByCertificate
Is there a way to integrate SSSD user certificates into the Mozilla Certificate Manager?
https://www.freeipa.org/page/V4/User_Certificates
https://help.libreoffice.org/6.1/he/text/shared/guide/digitalsign_send.html
Has anybody otherwise done this with CAcert? or intergrate CAcert certificates into ipa user-add-cert?
Kind regards,
Jelle de Jong
You would obtain the certificate via one of the supported methods that generates the private key on the local machine first. The IPA CA would just sign the CSR and send back the signed certificate. So you should have the private key already.
For documentation see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
You would need to set up a certificate profile correctly for what you need to issue the certificate with the correct Subject and usage.
This page has information on how to create a profile for S/MIME. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm... You might be able to use this certificate for other things too, by setting the key usage for multiple things at once, but it must conform to standards or it won't work.
How you configure the client application to use the certificate depends on which method you used to obtain it and where it's stored.
For example, certmonger (in EL8+) can store it in PEM format files (in EL7 it stored them in NSS database). https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
You either import them manually into your application or have your application read the certificate through a wrapper. For example for X509 certs there are PKCS11 modules that can read them from files or from a smart card.
Disclaimer: I have not tried these features so I can't say how exactly to set them up, but I'm reading into them recently as I'm also setting up my own FreeIPA for smart card login. I can however confirm that using a certmonger-obtained and tracked certificate works for an Apache HTTP server for several years now.
On Thu, 1 Jun 2023 18:32:07 +0200 Jelle de Jong via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 6/1/23 15:18, Sumit Bose via FreeIPA-users wrote:
Am Thu, Jun 01, 2023 at 02:18:40PM +0200 schrieb Jelle de Jong via FreeIPA-users:
Hello everybody,
I am looking for a way to digitally sign documents by end-users within an organisation.
Hi,
correct me if I'm wrong, but to my understanding the certificate is not sufficient for a digital signature because this requires the private key and the certificate will only contain the public key for others to verify your signature.
I agree with you, I can not figure out where FreeIPA would store the users private key?
However it does mention S/MIME signing support, and also not sure if these wiki pages are a draft of future features.
https://www.freeipa.org/page/V4/User_Certificates#S.2FMIME_and_User_Signing_...
https://www.freeipa.org/page/V4/Sub-CAs
https://www.freeipa.org/page/V4/Certificate_Profiles
Does someone know if I can use FreeIPA as RootCA to and create new user private/public key pairs and store them in FreeIPA and retrieve them with SSSD?
I can add a certificate to every user with our IPA user-add-cert system.
I can use SSSD clients to pull up te certificate.
org.freedesktop.sssd.infopipe.Users.FindByCertificate
Is there a way to integrate SSSD user certificates into the Mozilla Certificate Manager?
https://www.freeipa.org/page/V4/User_Certificates
https://help.libreoffice.org/6.1/he/text/shared/guide/digitalsign_send.html
Has anybody otherwise done this with CAcert? or intergrate CAcert certificates into ipa user-add-cert?
Kind regards,
Jelle de Jong
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Am Fri, Jun 02, 2023 at 02:40:09AM +0200 schrieb Jernej Jakob via FreeIPA-users:
You would obtain the certificate via one of the supported methods that generates the private key on the local machine first. The IPA CA would just sign the CSR and send back the signed certificate. So you should have the private key already.
For documentation see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
You would need to set up a certificate profile correctly for what you need to issue the certificate with the correct Subject and usage.
This page has information on how to create a profile for S/MIME. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm... You might be able to use this certificate for other things too, by setting the key usage for multiple things at once, but it must conform to standards or it won't work.
How you configure the client application to use the certificate depends on which method you used to obtain it and where it's stored.
For example, certmonger (in EL8+) can store it in PEM format files (in EL7 it stored them in NSS database). https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
You either import them manually into your application or have your application read the certificate through a wrapper. For example for X509 certs there are PKCS11 modules that can read them from files or from a smart card.
Disclaimer: I have not tried these features so I can't say how exactly to set them up, but I'm reading into them recently as I'm also setting up my own FreeIPA for smart card login. I can however confirm that using a certmonger-obtained and tracked certificate works for an Apache HTTP server for several years now.
On Thu, 1 Jun 2023 18:32:07 +0200 Jelle de Jong via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 6/1/23 15:18, Sumit Bose via FreeIPA-users wrote:
Am Thu, Jun 01, 2023 at 02:18:40PM +0200 schrieb Jelle de Jong via FreeIPA-users:
Hello everybody,
I am looking for a way to digitally sign documents by end-users within an organisation.
Hi,
correct me if I'm wrong, but to my understanding the certificate is not sufficient for a digital signature because this requires the private key and the certificate will only contain the public key for others to verify your signature.
I agree with you, I can not figure out where FreeIPA would store the users private key?
However it does mention S/MIME signing support, and also not sure if these wiki pages are a draft of future features.
https://www.freeipa.org/page/V4/User_Certificates#S.2FMIME_and_User_Signing_...
https://www.freeipa.org/page/V4/Sub-CAs
https://www.freeipa.org/page/V4/Certificate_Profiles
Does someone know if I can use FreeIPA as RootCA to and create new user private/public key pairs and store them in FreeIPA and retrieve them with SSSD?
Hi,
how certificate-private key pairs can be created is described above by Jernej. FreeIPA and SSSD only allow to store the public part, i.e. the certificate, but not the private key because, as the name says, you want to keep it private and not share it on a central storage like FreeIPA.
bye, Sumit
I can add a certificate to every user with our IPA user-add-cert system.
I can use SSSD clients to pull up te certificate.
org.freedesktop.sssd.infopipe.Users.FindByCertificate
Is there a way to integrate SSSD user certificates into the Mozilla Certificate Manager?
https://www.freeipa.org/page/V4/User_Certificates
https://help.libreoffice.org/6.1/he/text/shared/guide/digitalsign_send.html
Has anybody otherwise done this with CAcert? or intergrate CAcert certificates into ipa user-add-cert?
Kind regards,
Jelle de Jong
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org