On Mon, Oct 12, 2020 at 09:36:26AM +0200, Radoslaw Kujawa via FreeIPA-users
wrote:
> Hi.
>
> On 10/12/20 3:05 AM, Fraser Tweedale via FreeIPA-users wrote:
> > On Thu, Oct 08, 2020 at 10:03:03PM +0200, Radoslaw Kujawa via FreeIPA-users
> > wrote:
> > > On 10/8/20 9:06 PM, Rob Crittenden via FreeIPA-users wrote:
> > > > Radosław Kujawa via FreeIPA-users wrote:
> > > > >
> > > > > Is it possible to add email subjectAltName to a certificate when it is
> > > > > being signed by the IPA?
> > > > >
> > > >
> > > > How would the profile know what e-mail to add?
> > > >
> > >
> > > These certificates are treated by IPA as "user certificates". The CN is
> > > set
> > > to IPA user's login.
> > >
> > > By some magic, IPA knows that such certificate should be added to LDAP
> > > object representing particular user.
> > >
> > > I hoped it would be possible to instruct it, to fetch the email attribute
> > > from LDAP object when signing the cert (based on the CN) and put it into
> > > subjectAltName.
> > >
> >
> > A modern enterprise PKI should be able to do it. But FreeIPA
> > cannot. It's fundamentally possible but a lot of work to achieve
> > it. I blogged about it several years ago:
> >
> > https://frasertweedale.github.io/blog-redhat/posts/2015-11-04-freeipa-pki-future.html
> >
> > For now, you must get the rfc822Name into the CSR's SAN extension,
> > somehow. What tool are you using to generate those CSRs? Perhaps
> > we can help find a way to do it.
> >
>
> Long story short, the organization where I work have adopted Yubikeys as
> primary authentication method. This is working out well for us so far. Since
> we are already using IPA user certificates for PIV authentication, the
> thought appeared that we could use the same certs for S/MIME (at least
> Evolution appears to be able to successfully access the PIV cert on Yubikey
> to perform signing).
>
> The Yubikey "provisioning" process is currently self-service. Due to small
> size of organization (and the fact that currently most people work from
> home), it would be nice if it could stay this way. All users equipped with
> Yubikey have CA ACL that allows them to request certs using customized
> caIPAuserCert profile.
>
> Currently, from the user's perspective this is as simple as:
> $ yubico-piv-tool --key=$KEY -a generate -s 9a -A RSA2048 -o pub.pem
> $ yubico-piv-tool -a verify -a request -s 9a -P $PIN -S "/CN=$(whoami)/" -i
> pub.pem -o req.pem
> $ ipa cert-request --profile-id=caIPAuserCert --principal $(whoami) req.pem
>
> Then downloading the signed user certificate and running
> $ yubico-piv-tool --key=$KEY -a import-certificate -i cert.pem -s 9a
>
> Note that in this setup the private key is generated on the Yubikey and
> never leaves the device.
>
> The yubico-piv-tool -a request does not seem to have an option to add any
> kind of SAN to CSR.
>
> I know at least theoretically it is possible to generate the private key and
> CSR using openssl, then sign in IPA, and import the resulting private key
> and certificate onto Yubikey. However, from a security perspective, I see
> more opportunities for the user to mess up something here.
>
Yubico provide a PKCS #11 module for yubikey's when configured in
PIV mode. In fact it is installed as part of Fedora yubico-piv-tool
package:
ftweedal% rpm -ql yubico-piv-tool | grep ykcs
/usr/lib64/libykcs11.so.1
/usr/lib64/libykcs11.so.2.1.1
With that, then user can use OpenSSL, NSS or other tool to interface
with the token to generate key and CSR. It is true that this
nontrivial and easy for typical user to mess up. But it should not
be much work to write a small script/program for users to use, and
hide the tricky bits.
> One more doubt appears here. I obviously wouldn't want the user to sign a
> certificate with different email in CSR than appears in their own LDAP
> object...
>
FreeIPA cert-request command validates the names in CSR againts the
subject principal. For rfc822Name, the subject principal must have
a matching 'mail' attribute value. So if user supplies CSR with
wrong email, the request will be rejected.
Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
