IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
e6f8d8bc9b
freeipa/install/share/profiles
History
Rob Crittenden c0d55ce6de Centralize enable/disable of the ACME service 
The initial implementation of ACME in dogtag and IPA required
that ACME be manually enabled on each CA.

dogtag added a REST API that can be access directly or through
the `pki acme` CLI tool to enable or disable the service.

It also abstracted the database connection and introduced the
concept of a realm which defines the DIT for ACME users and
groups, the URL and the identity. This is configured in realm.conf.

A new group was created, Enterprise ACME Administrators, that
controls the users allowed to modify ACME configuration.

The IPA RA is added to this group for the ipa-acme-manage tool
to authenticate to the API to enable/disable ACME.

Related dogtag installation documentation:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md

ACME REST API:
https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
..
acmeIPAServerCert.cfg Centralize enable/disable of the ACME service 2020-11-02 10:43:57 -05:00
caIPAserviceCert.cfg Add CommonNameToSANDefault to default cert profile 2017-06-27 14:25:58 +00:00
caIPAserviceCert.UPGRADE.cfg Restore old version of caIPAserviceCert for upgrade only 2017-08-14 19:25:59 +02:00
IECUserRoles.cfg Add profile for DNP3 / IEC 62351-8 certificates 2015-08-11 14:57:41 +02:00
KDCs_PKINIT_Certs.cfg Configure Anonymous PKINIT on server install 2016-12-12 13:39:44 +01:00
Makefile.am Centralize enable/disable of the ACME service 2020-11-02 10:43:57 -05:00
README Add a README to certificate profile templates directory 2017-06-15 13:55:09 +02:00

README 

This directory contains profile TEMPLATES for certificate profiles
included in FreeIPA.  Do not import these files or modifications
thereof - it is likely that Dogtag will accept the configuration,
but certificate issuance will fail with the updated configuration.
At best, it will not give you the certificates you want.

If you want to modify a profile configuration or create a new
profile based on an existing profile configuration, you should
export the current profile configuration with the command:

    ipa certprofile-show --out FILENAME PROFILE_NAME

After modifying the configuration, update the profile configuration:

    ipa certprofile-mod --file FILENAME PROFILE_NAME

Or if you are creating a new profile:

    ipa certprofile-import --desc DESC --store 1 \
        --file FILENAME NEW_PROFILE_NAME