Photo by Oscar Sutton on Unsplash

Photo by Oscar Sutton on Unsplash

Certificate management with FreeIPA and Dogtag

Show Your ID

Article from ADMIN 70/2022
By
The Dogtag certificate manager integrated into the FreeIPA open source toolset generates SSL/TLS certificates for intranet services and publishes them on the network.

Both internal and external services rely on encrypted communication with SSL and TLS. For external services, administrators use officially signed certificates, although Let's Encrypt is absolutely fine in many scenarios. In contrast, internal services predominantly rely on self-signed certificates, which always cause a stir with web browsers on the local area network (LAN) by generating messages such as The server's certificate is unknown .

Administrators would prefer to see a nice lock icon displayed in the browser for a trusted TLS connection – for their intranet applications, too – instead of requiring users to create an individual exception in the browser for every internal application. This also means that stricter security policies can be applied for browsers on the corporate network, preventing users from opening untrusted connections at all or from creating exceptions. Admins also want other internal services to use trusted certificates and SSL for communication.

All you need is your own certificate authority (CA) on your intranet to manage and sign certificates for the connected services. Internal computers then only need to trust that this internal root CA for all keys signed by it are identified as valid.

Dogtag [1], the open source certificate system, offers a simple approach to managing an internal CA, and it integrates seamlessly with the FreeIPA [2] user directory. FreeIPA is to Linux what Active Directory (AD) is to the Windows world. It uses the same technology with a Lightweight Directory Access Protocol (LDAP) back end and Kerberos authentication. AD and an Identity, Policy, and Audit (IPA) system can trust each other with cross-domain trusts, allowing administrators of heterogeneous networks to run a connected directory for Windows and Linux machines.

In this article, I review the basic features of

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Obtain certificates with acme.sh
    We take a close look at acme.sh, a lightweight client for the ACME protocol that facilitates digital certificates for secure TLS communication channels.
  • Integrating FreeIPA with Active Directory
    Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain.
  • Migration from LDAP to FreeIPA
    The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort.
  • A REST interface for FreeIPA
    Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API.
  • Windows security with public key infrastructures
    A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure.
comments powered by Disqus