On Mon, Jun 20, 2022 at 07:49:16PM +0000, Charles Hedrick wrote: > Keeping our own certificates up to date on the various types of > clients is messy enough that we gave up on that. > > The only thing we would actually use it for is kinit -n, to > bootstrap kinit for OTP. While kinit -n would be the most elegant > way to do it, we have several other approaches. > > Documentation seems to say that if pkinit_eku_checking is set to > kpServerAuth, we don't need the extension. I've found that kinit > -n actually does work when the client sets this. However I have to > install the certificates manually on the KDC, since the command > won't do it.
This approach substitutes a certificate distribution requirement with a config distribution requirement. Every client would have to accept the certificate with id-kp-serverAuth instead of id-pkinit-KPKdc** - non-default behaviour which does not conform to RFC 4556. Some client implementations might not have a workaround. This workaround might be acceptable for your environment. In general, accepting certificates that do not conform to the requirements of RFC 4556 introduces a substantial risk of FreeIPA administrators misconfiguring their environment. Rob & Michal, perhaps this can be considered as an RFE: to relax this requirement via a flag, accompanied by ample warnings? ** id-pkinit-KPKdc is not required if the krbtgt/REALM principal name appears in a id-pkinit-san otherName SAN value. But public CAs will not include that either. Thanks, Fraser > ________________________________ > From: Fraser Tweedale <ftwee...@redhat.com> > Sent: Sunday, June 19, 2022 11:34 PM > To: Charles Hedrick <hedr...@rutgers.edu>; Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> > Cc: Rob Crittenden <rcrit...@redhat.com> > Subject: Re: [Freeipa-users] Re: ipa-server-certinstall -k > > On Wed, Jun 15, 2022 at 04:23:30PM -0400, Rob Crittenden via FreeIPA-users > wrote: > > Charles Hedrick via FreeIPA-users wrote: > > > the error is > > > > > > The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a > > > KDC > > > > A PKINIT certificate needs an EKU extension, > > https://datatracker.ietf.org/doc/html/rfc4556 > > > > When generating the key with OpenSSL you need to include "-extensions > > kdc_cert" > > > It's unlikely that publicly trusted CAs will issue certs with > id-pkinit-KPKdc in EKU. CABForum Baseline Requirements[1] > 7.1.2.3(f) says: > > Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth > [RFC5280] or both values MUST be present. id-kp-emailProtection > [RFC5280] MAY be present. Other values SHOULD NOT be present. > > [1]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf > > Charles, you might need to use a certificate issued directly by the > IPA CA for your KDC, or else do without PKINIT. > > Thanks, > Fraser > > > > > > > > > > > > ------------------------------------------------------------------------ > > > *From:* Charles Hedrick via FreeIPA-users > > > <freeipa-users@lists.fedorahosted.org> > > > *Sent:* Wednesday, June 15, 2022 3:39 PM > > > *To:* freeipa-users@lists.fedorahosted.org > > > <freeipa-users@lists.fedorahosted.org> > > > *Cc:* Charles Hedrick <hedr...@rutgers.edu> > > > *Subject:* [Freeipa-users] ipa-server-certinstall -k > > > > > > ipa-server-certinstall works fine for http and ldap. But I can't get the > > > -k option to work. > > > > > > I've tried cert.pem and privkey.pem with and without chain.pem, as well > > > as fullchain.pem and privkey.pem (fullchain has both the cert and the > > > chain). > > > > > > The certs were issued by Internet2, which chains up to addtrust. > > > > > > kinit -n works fine if I install the pem files manually, so presumably > > > my files are valid. > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam on the list, report it: > > > https://pagure.io/fedora-infrastructure > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
