FreeIPA
Draft version. Content is hallucinated. Do not use!
certificates

Certificate Management

Integrated PKI with Dogtag CA for automated certificate lifecycle management

Dogtag CA certmonger X.509 OCSP

Overview

FreeIPA includes an integrated Public Key Infrastructure (PKI) based on Dogtag Certificate System, providing automated certificate lifecycle management for hosts, services, and users. This eliminates manual certificate management overhead while ensuring strong cryptographic authentication across your infrastructure.

Key Capabilities

Automated Certificate Enrollment

FreeIPA automates the entire certificate enrollment process:

  • Host Certificates: Automatically issued during client enrollment
  • Service Certificates: On-demand generation for services
  • User Certificates: Smart card and email encryption certificates
  • Certificate Renewal: Automatic tracking and renewal via certmonger
  • Certificate Revocation: Immediate revocation and CRL updates

Certificate Types

Support for various certificate use cases:

  • SSL/TLS Certificates: Web servers, LDAP over SSL, VPN servers
  • Code Signing: Application and script signing
  • Email Certificates: S/MIME encryption and signing
  • Smart Card Certificates: Two-factor authentication
  • Object Signing: Document signing and verification

Certificate Authority Hierarchy

Flexible CA structure:

  • Root CA: Self-signed root certificate authority
  • Sub-CAs: Issue specific certificate types
  • External CA: Import certificates from external CAs
  • CA Renewal: Automated root and sub-CA renewal
  • Cross-Certification: Trust external PKI hierarchies

Certificate Lifecycle Management

Issuance

Request and receive certificates through multiple methods:

# Request service certificate
ipa-getcert request -K HTTP/web.example.com \
  -k /etc/pki/tls/private/server.key \
  -f /etc/pki/tls/certs/server.crt

# Request with specific profile
ipa-getcert request -K host/server.example.com \
  -k /etc/pki/tls/private/server.key \
  -f /etc/pki/tls/certs/server.crt \
  -T caIPAserviceCert

Renewal

Automated renewal through certmonger:

  • Monitors certificate expiration
  • Automatically renews before expiration
  • Updates certificate files in place
  • Restarts services as needed
  • Email notifications for renewal events

Revocation

Immediate certificate revocation:

# Revoke a certificate
ipa cert-revoke 123456 --revocation-reason=keyCompromise

# View revocation status
ipa cert-show 123456

Integration with Services

Web Servers

Secure Apache and Nginx with FreeIPA certificates:

# Apache SSL configuration
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCACertificateFile /etc/ipa/ca.crt

LDAP Over SSL

Secure LDAP communication:

# Configure LDAP client for SSL
ldapsearch -H ldaps://ipa.example.com \
  -x -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" \
  -W -b "dc=example,dc=com"

Email Encryption

S/MIME certificates for email security:

# Request user certificate for email
ipa cert-request user.csr --principal=user@example.com \
  --certificate-profile=smime

Certificate Profiles

Custom certificate profiles for specific requirements:

# List available profiles
ipa certprofile-find

# Import custom profile
ipa certprofile-import MyCustomProfile \
  --desc="Custom certificate profile" \
  --file=custom-profile.cfg

Pre-configured profiles include:

  • IECUserRoles: User certificates with role attributes
  • caIPAserviceCert: Service certificates
  • KDCs_PKINIT_Certs: KDC PKINIT certificates
  • caSubsystemCert: CA subsystem certificates

Smart Card Authentication

Enable two-factor authentication with smart cards:

User Enrollment

# Add user certificate for smart card
ipa user-add-cert jsmith --certificate="$(cat user.crt)"

# Enable smart card authentication
ipa config-mod --user-auth-type=otp,password,pkinit

System Configuration

Configure SSSD for smart card login:

[pam]
pam_cert_auth = True

[domain/example.com]
pkinit_anchors = FILE:/etc/ipa/ca.crt

Certificate Monitoring

Tracking

Monitor all certificates via certmonger:

# List tracked certificates
ipa-getcert list

# Check certificate status
ipa-getcert status -i 20210101120000

Expiration Alerts

Automated notifications before expiration:

  • Email alerts to administrators
  • Integration with monitoring systems
  • Dashboard warnings in web UI
  • Customizable notification thresholds

OCSP and CRL

Certificate validation services:

  • OCSP Responder: Real-time certificate validation
  • CRL Distribution: Regular CRL publication
  • OCSP Stapling: Improved TLS performance
  • CRL Caching: Optimized revocation checking

Use Cases

Zero Trust Architecture

Implement mutual TLS for zero trust security:

  • Service-to-service authentication
  • Client certificate authentication
  • Continuous authentication validation
  • Certificate-based network access control

IoT Device Management

Secure IoT devices with certificates:

  • Automated device enrollment
  • Device identity certificates
  • Secure communication channels
  • Certificate rotation for long-lived devices

Regulatory Compliance

Meet compliance requirements:

  • Audit trails for all certificate operations
  • Secure key storage
  • Certificate transparency
  • Automated compliance reporting

Best Practices

  1. Regular Backups: Backup CA keys and database
  2. Key Protection: Use HSM for root CA private keys
  3. Certificate Lifetimes: Balance security and operational overhead
  4. Monitoring: Track certificate issuance and expiration
  5. Revocation Lists: Regularly publish CRLs
  6. Profile Management: Use appropriate profiles for each use case
  7. Testing: Test certificate renewal in non-production environments

Advanced Features

Sub-CA Management

Create specialized CAs for different purposes:

# Create lightweight sub-CA
ipa ca-add webapp-ca \
  --desc="Certificates for web applications" \
  --subject="CN=Web Application CA,O=Example"

Certificate Holds

Temporarily suspend certificates:

# Place certificate on hold
ipa cert-revoke 123456 --revocation-reason=certificateHold

# Remove hold
ipa cert-remove-hold 123456

External Signing

Use external CA to sign FreeIPA CA:

# Generate CSR for external signing
ipa-ca-install --external-ca

Getting Started

Enable certificate management for a service:

# Request certificate for web server
ipa service-add HTTP/web.example.com

# Generate and track certificate
ipa-getcert request -K HTTP/web.example.com \
  -k /etc/pki/tls/private/web.key \
  -f /etc/pki/tls/certs/web.crt \
  -D web.example.com \
  -C "systemctl reload httpd"

# Verify certificate
openssl x509 -in /etc/pki/tls/certs/web.crt -text -noout