Configuring Directory Authenticated Certificate Profiles

Overview

This document describes how to configure directory-authenticated certificate profiles:

• caDirUserCert: Directory-Authenticated User Dual-Use Certificate Enrollment

• caECDirUserCert: Directory-Authenticated User ECC Certificate Enrollment

• caDirUserRenewal: Directory-Authenticated User Certificate Self-Renew profile

Prerequisites

Prepare a publicly accessible LDAP subtree that contains users. Each user must be able to authenticate using a password. For example:

$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: ou=people,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: people
aci: (target="ldap:///ou=people,dc=example,dc=com")
 (targetattr=objectClass||dc||ou||uid||cn||sn||givenName)
 (version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";)
aci: (target="ldap:///ou=people,dc=example,dc=com")
 (targetattr=*)
 (version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";)

dn: uid=testuser,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User
userPassword: Secret.123
EOF

Verify the authentication using the following command:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -x \
    -D "uid=testuser,ou=People,dc=example,dc=com" \
    -w Secret.123 \
    -b "dc=example,dc=com" \
    "(objectClass=*)"

Configuring caDirUserCert Profile

The caDirUserCert profile is stored in /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirUserCert.cfg.

By default the profile is disabled. To enable the profile update the following parameter:

enable=true

By default the certificate will be valid for 180 days. For testing the validity range can be shortened, e.g. to 5 minutes:

policyset.userCertSet.2.default.params.range=5
policyset.userCertSet.2.default.params.rangeUnit=minute

By default the profile is configured with UserDirEnrollment authentication manager:

auth.instance_id=UserDirEnrollment

Add the UserDirEnrollment authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth
auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=internaldb
auths.instance.UserDirEnrollment.ldap.ldapconn.host=pki.example.com
auths.instance.UserDirEnrollment.ldap.ldapconn.port=389
auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false

The UidPwdDirAuth authentication plugin is already defined in the CS.cfg:

auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication

Finally, restart PKI server:

$ systemctl restart [email protected]

Enrollment

See Certificate Enrollment with Directory Authenticated Profile.

Renewal

See Certificate Renewal with Directory-Authenticated Profile.

See Also

• Configuring Authentication Managers

• Certificate Profiles

• PKI CA Certificate CLI

• Ticket #2022: pki cli client-cert-request should support dir based auth