Configuring PIN Authenticated Certificate Profile - dogtagpki/pki GitHub Wiki
This document describes how to configure a PIN-authenticated certificate profile such as:
-
caDirPinUserCert: Directory-Pin-Authenticated User Dual-Use Certificate Enrollment
-
caECDirPinUserCert: Directory-Pin-Authenticated User Dual-Use ECC Certificate Enrollment
Prepare a publicly accessible LDAP subtree that contains users. Each user must be able to authenticate using a password. For example:
$ ldapadd -H ldap://ds.example.com -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: uid=pinmanager,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: pinmanager cn: PIN Manager sn: Manager userPassword: Secret.123 dn: ou=people,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: people aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr=objectClass||dc||ou||uid||cn||sn||givenName) (version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";) aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr=*) (version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";) dn: uid=testuser,ou=people,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: testuser cn: Test User sn: User userPassword: Secret.123 EOF
Use setpin
to set up the LDAP schema and ACI attributes:
$ sed \ -e "s/^host=.*$/host=ds.example.com/" \ -e "s/^port=.*$/port=3389/" \ -e "s/^binddn=.*$/binddn=cn=Directory Manager/" \ -e "s/^bindpw=.*$/bindpw=Secret.123/" \ -e "s/^pinmanager=.*$/pinmanager=uid=pinmanager,dc=example,dc=com/" \ -e "s/^pinmanagerpwd=.*$/pinmanagerpwd=Secret.123/" \ -e "s/^basedn=.*$/basedn=ou=people,dc=example,dc=com/" \ /usr/share/pki/tools/setpin.conf > setpin.conf $ setpin optfile=setpin.conf
Use setpin
to generate PINs for all users:
$ sed -i "/^setup=/d" setpin.conf $ setpin \ filter="(objectClass=person)" \ optfile=setpin.conf \ output=setpin.out \ write
The PINs will be stored in setpin.out
as follows:
dn:uid=testuser,ou=people,dc=example,dc=com pin:GIRbLe status:added
The caDirPinUserCert
profile is stored in /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg
.
By default the profile is disabled. To enable the profile update the following parameter:
enable=true
By default the certificate will be valid for 180 days. For testing the validity range can be shortened, e.g. to 5 minutes:
policyset.userCertSet.2.default.params.range=5 policyset.userCertSet.2.default.params.rangeUnit=minute
By default the profile is configured with PinDirEnrollment
authentication manager:
auth.instance_id=PinDirEnrollment
Add the PinDirEnrollment
authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
auths.instance.PinDirEnrollment.pluginName=UidPwdPinDirAuth auths.instance.PinDirEnrollment.ldap.basedn=ou=people,dc=example,dc=com auths.instance.PinDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.PinDirEnrollment.ldap.ldapconn.host=ds.example.com auths.instance.PinDirEnrollment.ldap.ldapconn.port=389
The UidPwdPinDirAuth
authentication plugin is already defined in the CS.cfg
:
auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication
Finally, restart CA subsystem:
$ pki-server ca-redeploy --wait