Certificates in IPA/IDM for Dummies
As described in the figure above, a certificate in it's simplest form 'certifies' the identity of a 'thing' attempting to access domain resources. I like to think of a certificate as a fingerprint or maybe a strand of a 'things' DNA. Those 'things' can be machines or a person attempting to gain access to network resources.
As mentioned in a separate blog entry, IPA/IDM is comprised of and integrates several major components that all work together to manage resources and users - as a domain controller (DC).
(That blog entry can be found here:
In this blog entry I will be examining the Certificate System.
Given that IPA/IDM uses kerberos, why does IPA/IDM/Identity Manager need Certificates anyway?
Within an IPA/IDM domain, certain applications (ie. web based and others) and even machines have to use certificates often for SSL/TLS communication. As an example, when a client - a workstation in this example - joins a domain there is communication between the client and the server. This communication is encrypted using SSL/TLS which requires a certificate.
As a reminder SSL/TLS are transport layer security protocols that encrypt communications over the network.
Let's take a quick look at this graphic which illustrates how certificates are exchanged when a client workstation joins an IPA/IDM Domain (click to see larger view):
Taken all together, IPA/IDM uses PKI (Public Key Infrastructure) to manage certificates. Here is a working definition of PKI:
A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. ... In IPA/IDM PKI, a registration authority is usually called a CA.
IPA/IDM uses (2) separate but related components to establish a PKI: Dogtag and Certmonger.
Dogtag: The Dogtag Certificate System is an enterprise-class open source Certificate Authority (CA).
- The Certificate Manager is a certificate authority (CA). It issues, renews, and publishes certificates. The Certificate Manager also creates and publishes certificate revocation lists (CRLs).
Certmonger: Automates the management of Certificates, Requests new certificates from the CA when they are expired.
The certmonger daemon monitors certificates for impending expiration, and can optionally refresh soon-to-be-expired certificates with the help of a CA. If told to, it can drive the entire enrollment process from key generation through enrollment and refresh.
Put another way: certmonger tracks certificates so you don't have to!
And as mentioned, a big part of the reason for PKI in IPA/IDM is LDAP. Communication with LDAP must be secure! The only way we get TLS communication with LDAP is via certificates/PKI.
Even the Apache based IPA/IDM Web UI uses certificates for secure communications
So within IPA/IDM the CA Server is managed/created by Dogtag; which should be installed as the default option. The Dogtag CA can self-sign it's own CA certificate or you can send out the certificate to have it verified by a 3rd Party such as Verisign.
The certmonger daemon essentially manages certificates on the client side, again so you don't have to! It automatically communicates with the Dogtag CA Authority on the IDM server on the clients behalf and requests certificates when required.
There really is no manual management of certificates when you use IPA/IDM.
No comments:
Post a Comment