FreeIPA
Draft version. Content is hallucinated. Do not use!
integration

Automating Certificate Management with FreeIPA

Leverage FreeIPA's integrated PKI and certmonger for seamless certificate lifecycle automation

intermediate 90 minutes
PKI certmonger Dogtag CA TLS

Prerequisites

  • Working FreeIPA installation with CA configured (--setup-ca)
  • IPA-enrolled client systems
  • Basic understanding of SSL/TLS certificates
  • Root or sudo access on client systems

Introduction

Manual certificate management is error-prone and doesn’t scale. Expired certificates cause outages, while manual renewals consume valuable time. FreeIPA’s integrated PKI combined with certmonger provides comprehensive certificate lifecycle automation, eliminating manual intervention while ensuring security.

The Challenge of Certificate Management

Traditional certificate management faces several challenges:

  • Manual Renewals: Tracking and renewing certificates before expiration
  • Deployment Overhead: Distributing certificates to services
  • Service Restarts: Applying new certificates without downtime
  • Revocation Management: Responding quickly to compromises
  • Compliance: Meeting audit requirements for certificate usage

FreeIPA addresses all these challenges through automation.

Architecture Overview

Components

FreeIPA’s certificate automation relies on:

  1. Dogtag CA: Enterprise PKI providing certificate authority services
  2. certmonger: Client-side certificate tracking and renewal daemon
  3. IPA Framework: Orchestration and policy enforcement
  4. LDAP Directory: Certificate storage and distribution
  5. Kerberos: Secure authentication for certificate operations

How It Works

┌─────────────┐      Request      ┌──────────────┐
│ certmonger  │ ─────────────────> │   Dogtag CA  │
│   (client)  │                    │   (server)   │
└─────────────┘                    └──────────────┘
      │                                    │
      │ Kerberos Auth                      │
      ▼                                    ▼
┌─────────────┐                    ┌──────────────┐
│  IPA Client │ <───────────────── │  IPA Server  │
│   (host)    │     Certificate    │  (LDAP/CA)   │
└─────────────┘                    └──────────────┘

Initial Setup

Server-Side Configuration

FreeIPA servers come with CA pre-configured (if installed with --setup-ca):

# Verify CA is running
systemctl status pki-tomcatd@pki-tomcat

# Check CA status
ipa-cacert-manage status

# View certificate profiles
ipa certprofile-find

Client-Side Preparation

Ensure certmonger is running on clients:

# Install certmonger
dnf install certmonger

# Enable and start service
systemctl enable --now certmonger

# Verify it's tracking certificates
getcert list

Automating Service Certificates

Web Server Certificates

Automate Apache SSL certificate management:

# Create service principal
ipa service-add HTTP/web.example.com

# Request and track certificate
ipa-getcert request \
  -K HTTP/web.example.com \
  -k /etc/pki/tls/private/server.key \
  -f /etc/pki/tls/certs/server.crt \
  -D web.example.com \
  -D www.example.com \
  -C "systemctl reload httpd"

# Verify tracking
ipa-getcert list

Parameters explained:

  • -K: Kerberos principal for the service
  • -k: Private key file location
  • -f: Certificate file location
  • -D: Subject alternative names (SANs)
  • -C: Command to run after renewal

Apache configuration:

<VirtualHost *:443>
    ServerName web.example.com
    ServerAlias www.example.com

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    SSLCertificateKeyFile /etc/pki/tls/private/server.key
    SSLCACertificateFile /etc/ipa/ca.crt

    # Additional SSL configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5

    # Your application configuration
    DocumentRoot /var/www/html
</VirtualHost>

LDAP Server Certificates

Secure LDAP with automated certificates:

# Create LDAP service
ipa service-add ldap/ldap.example.com

# Request certificate
ipa-getcert request \
  -K ldap/ldap.example.com \
  -k /etc/openldap/certs/server.key \
  -f /etc/openldap/certs/server.crt \
  -C "systemctl reload slapd"

OpenLDAP configuration:

# /etc/openldap/slapd.conf
TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
TLSCACertificateFile /etc/ipa/ca.crt

Database Certificates

PostgreSQL with SSL:

# Request certificate
ipa-getcert request \
  -K postgres/db.example.com \
  -k /var/lib/pgsql/data/server.key \
  -f /var/lib/pgsql/data/server.crt \
  -o /var/lib/pgsql \
  -C "systemctl reload postgresql"

# Set ownership
chown postgres:postgres /var/lib/pgsql/data/server.*
chmod 600 /var/lib/pgsql/data/server.key

PostgreSQL configuration:

# postgresql.conf
ssl = on
ssl_cert_file = '/var/lib/pgsql/data/server.crt'
ssl_key_file = '/var/lib/pgsql/data/server.key'
ssl_ca_file = '/etc/ipa/ca.crt'

Advanced Automation

Custom Certificate Profiles

Create profiles for specific requirements:

# Export existing profile as template
ipa certprofile-show caIPAserviceCert --out=custom-profile.cfg

# Edit profile for your needs
vim custom-profile.cfg

# Import custom profile
ipa certprofile-import MyWebServerCert \
  --desc="Custom web server certificates" \
  --file=custom-profile.cfg \
  --store=true

# Use custom profile
ipa-getcert request \
  -K HTTP/web.example.com \
  -k /etc/pki/tls/private/server.key \
  -f /etc/pki/tls/certs/server.crt \
  -T MyWebServerCert

Pre-Renewal Hooks

Execute actions before renewal:

# Request with pre-save command
ipa-getcert request \
  -K HTTP/web.example.com \
  -k /etc/pki/tls/private/server.key \
  -f /etc/pki/tls/certs/server.crt \
  -B "/usr/local/bin/pre-renewal.sh" \
  -C "/usr/local/bin/post-renewal.sh"

Pre-renewal script example:

#!/bin/bash
# /usr/local/bin/pre-renewal.sh

# Backup current certificate
cp /etc/pki/tls/certs/server.crt \
   /etc/pki/tls/certs/server.crt.backup.$(date +%Y%m%d)

# Notify monitoring system
curl -X POST https://monitoring.example.com/api/events \
  -d '{"event": "certificate_renewal_started", "host": "'$(hostname)'"}'

exit 0

Post-renewal script:

#!/bin/bash
# /usr/local/bin/post-renewal.sh

# Reload web server
systemctl reload httpd

# Verify new certificate
openssl x509 -in /etc/pki/tls/certs/server.crt -noout -dates

# Notify monitoring system
curl -X POST https://monitoring.example.com/api/events \
  -d '{"event": "certificate_renewed", "host": "'$(hostname)'"}'

# Send success email
echo "Certificate renewed successfully on $(hostname)" | \
  mail -s "Certificate Renewal Success" admin@example.com

exit 0

Wildcard Certificates

Request wildcard certificates for multiple subdomains:

# Create service for wildcard
ipa service-add HTTP/*.example.com

# Request wildcard certificate
ipa-getcert request \
  -K 'HTTP/*.example.com' \
  -k /etc/pki/tls/private/wildcard.key \
  -f /etc/pki/tls/certs/wildcard.crt \
  -D '*.example.com' \
  -D 'example.com'

Monitoring and Maintenance

Tracking Status

Monitor certificate status:

# List all tracked certificates
ipa-getcert list

# Check specific certificate
ipa-getcert list -f /etc/pki/tls/certs/server.crt

# Show detailed information
ipa-getcert list -v

Output includes:

  • Certificate serial number
  • Expiration date
  • Days until expiration
  • Last renewal status
  • Next renewal attempt

Automated Monitoring

Script for monitoring:

#!/bin/bash
# /usr/local/bin/check-certs.sh

WARN_DAYS=30
CRIT_DAYS=7

while read -r line; do
  if [[ $line =~ expires:\ ([0-9]+)\ day ]]; then
    days="${BASH_REMATCH[1]}"

    if [ "$days" -le "$CRIT_DAYS" ]; then
      echo "CRITICAL: Certificate expires in $days days"
      exit 2
    elif [ "$days" -le "$WARN_DAYS" ]; then
      echo "WARNING: Certificate expires in $days days"
      exit 1
    fi
  fi
done < <(ipa-getcert list)

echo "OK: All certificates valid"
exit 0

Integrate with monitoring systems:

# Nagios/Icinga check
command[check_ipa_certs]=/usr/local/bin/check-certs.sh

# Prometheus node exporter
# Export metrics for scraping

Manual Renewal

Force renewal when needed:

# Resubmit certificate request
ipa-getcert resubmit -i 20240315120000

# Resubmit all expiring certificates
ipa-getcert resubmit-all

Troubleshooting

Common Issues

Issue: Certificate request stuck in CA_UNREACHABLE

# Check IPA server connectivity
ping ipa.example.com

# Verify Kerberos ticket
klist

# Test certificate enrollment
ipa cert-show 1

# Check certmonger logs
journalctl -u certmonger -f

Issue: Renewal failed with NEED_KEY_GEN_PERMS

# Fix file permissions
chmod 600 /etc/pki/tls/private/server.key
chown root:root /etc/pki/tls/private/server.key

# Retry
ipa-getcert resubmit -i 20240315120000

Issue: Certificate not renewed before expiration

# Check renewal schedule
ipa-getcert list -i 20240315120000 | grep attempt

# Manually trigger renewal
ipa-getcert resubmit -i 20240315120000

# Review certmonger configuration
cat /etc/certmonger/certmonger.conf

Log Analysis

Monitor logs for issues:

# Certmonger logs
journalctl -u certmonger --since "24 hours ago"

# IPA CA logs
tail -f /var/log/pki/pki-tomcat/ca/debug.$(date +%Y%m%d).log

# httpd errors
tail -f /var/log/httpd/error_log

Best Practices

1. Test Before Production

Always test certificate automation in non-production:

# Request with test profile first
ipa-getcert request -K test/test.example.com \
  -k /tmp/test.key \
  -f /tmp/test.crt

# Verify renewal works
ipa-getcert resubmit -f /tmp/test.crt

# Clean up test certificates
ipa-getcert stop-tracking -f /tmp/test.crt

2. Set Appropriate Validity Periods

Balance security and operational overhead:

  • High-security services: 30-90 days
  • Standard services: 90-365 days
  • Internal services: Up to 2 years

Configure in certificate profile:

# Validity period in days
profileId=caIPAserviceCert
policyset.serverCertSet.2.default.params.range=365

3. Monitor Expiration

Implement alerting:

  • 60 days: Notice to plan renewal
  • 30 days: Warning, verify automation working
  • 7 days: Critical, manual intervention may be needed

4. Document Service Certificates

Maintain inventory:

# Generate certificate inventory
ipa cert-find --all --raw > cert-inventory.json

# Track in configuration management
# Ansible, Puppet, etc.

5. Secure Private Keys

Protect private key files:

# Correct permissions
chmod 600 /etc/pki/tls/private/*.key
chown root:root /etc/pki/tls/private/*.key

# Use hardware security modules for critical keys
# Configure certmonger with HSM support

Integration Examples

Load Balancers

HAProxy with automated certificates:

# Request certificate
ipa-getcert request \
  -K HTTP/lb.example.com \
  -k /etc/haproxy/certs/server.key \
  -f /etc/haproxy/certs/server.crt \
  -C "/usr/local/bin/combine-cert.sh"

Combination script for HAProxy:

#!/bin/bash
# /usr/local/bin/combine-cert.sh

cat /etc/haproxy/certs/server.crt \
    /etc/haproxy/certs/server.key \
    > /etc/haproxy/certs/server.pem

chmod 600 /etc/haproxy/certs/server.pem
systemctl reload haproxy

Container Orchestration

Kubernetes integration:

# Request certificate for Kubernetes API
ipa-getcert request \
  -K kubernetes/api.cluster.example.com \
  -k /etc/kubernetes/pki/apiserver.key \
  -f /etc/kubernetes/pki/apiserver.crt \
  -D api.cluster.example.com \
  -D kubernetes.default.svc \
  -C "systemctl restart kube-apiserver"

Cloud Environments

AWS/Azure/GCP with FreeIPA certificates:

# Request certificate
ipa-getcert request \
  -K HTTP/cloud-app.example.com \
  -k /var/lib/cloud-app/server.key \
  -f /var/lib/cloud-app/server.crt

# Upload to cloud provider (post-renewal)
aws acm import-certificate \
  --certificate file:///var/lib/cloud-app/server.crt \
  --private-key file:///var/lib/cloud-app/server.key

Scaling Certificate Management

Multi-Server Deployments

Distribute certificate management:

# Each server tracks its own certificates
# Use Ansible/Puppet to deploy configuration

# Ansible playbook example
- name: Request service certificate
  shell: |
    ipa-getcert request \
      -K HTTP/{{ ansible_fqdn }} \
      -k /etc/pki/tls/private/server.key \
      -f /etc/pki/tls/certs/server.crt \
      -C "systemctl reload httpd"
  args:
    creates: /etc/pki/tls/certs/server.crt

Certificate Revocation

Handle compromises quickly:

# Revoke certificate immediately
ipa cert-revoke 123456 --revocation-reason=keyCompromise

# Stop tracking on client
ipa-getcert stop-tracking -f /etc/pki/tls/certs/server.crt

# Request new certificate
ipa-getcert request \
  -K HTTP/web.example.com \
  -k /etc/pki/tls/private/server-new.key \
  -f /etc/pki/tls/certs/server-new.crt

# Update service configuration and restart

Conclusion

FreeIPA’s certificate automation eliminates manual certificate management overhead while ensuring services always have valid certificates. By leveraging certmonger and Dogtag CA integration, you can achieve:

  • Zero-touch renewals: Certificates renew automatically
  • Consistent security: Centralized policy enforcement
  • Reduced outages: No more expired certificate incidents
  • Compliance: Automated audit trails
  • Scalability: Manage thousands of certificates effortlessly

Start automating your certificate management today and focus on building great services instead of chasing certificate renewals!

Resources

Questions about certificate automation? Ask the FreeIPA community!