Configuring Directory Authenticated Certificate Profiles - dogtagpki/pki GitHub Wiki
This document describes how to configure directory-authenticated certificate profiles:
-
caDirUserCert: Directory-Authenticated User Dual-Use Certificate Enrollment
-
caECDirUserCert: Directory-Authenticated User ECC Certificate Enrollment
-
caDirUserRenewal: Directory-Authenticated User Certificate Self-Renew profile
Prepare a publicly accessible LDAP subtree that contains users. Each user must be able to authenticate using a password. For example:
$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: ou=people,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: people aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr=objectClass||dc||ou||uid||cn||sn||givenName) (version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";) aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr=*) (version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";) dn: uid=testuser,ou=people,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: testuser cn: Test User sn: User userPassword: Secret.123 EOF
Verify the authentication using the following command:
$ ldapsearch \ -H ldap://$HOSTNAME \ -x \ -D "uid=testuser,ou=People,dc=example,dc=com" \ -w Secret.123 \ -b "dc=example,dc=com" \ "(objectClass=*)"
The caDirUserCert
profile is stored in /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg
.
By default the profile is disabled. To enable the profile update the following parameter:
enable=true
By default the certificate will be valid for 180 days. For testing the validity range can be shortened, e.g. to 5 minutes:
policyset.userCertSet.2.default.params.range=5 policyset.userCertSet.2.default.params.rangeUnit=minute
By default the profile is configured with UserDirEnrollment
authentication manager:
auth.instance_id=UserDirEnrollment
Add the UserDirEnrollment
authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb auths.instance.UserDirEnrollment.ldap.ldapconn.host=pki.example.com auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false
The UidPwdDirAuth
authentication plugin is already defined in the CS.cfg
:
auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication
Finally, restart PKI server:
$ systemctl restart [email protected]