-
Notifications
You must be signed in to change notification settings - Fork 137
Configuring PIN Authenticated Certificate Profile
This document describes how to configure a PIN-authenticated certificate profile such as:
-
caDirPinUserCert: Directory-Pin-Authenticated User Dual-Use Certificate Enrollment
-
caECDirPinUserCert: Directory-Pin-Authenticated User Dual-Use ECC Certificate Enrollment
Prepare a publicly accessible LDAP subtree that contains users. Each user must be able to authenticate using a password. For example:
$ ldapadd -H ldap://ds.example.com -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: uid=pinmanager,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: pinmanager cn: PIN Manager sn: Manager userPassword: Secret.123 dn: ou=people,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: people aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr=objectClass||dc||ou||uid||cn||sn||givenName) (version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";) aci: (target="ldap:///ou=people,dc=example,dc=com") (targetattr=*) (version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";) dn: uid=testuser,ou=people,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: testuser cn: Test User sn: User userPassword: Secret.123 EOF
Use setpin to set up the LDAP schema and ACI attributes:
$ sed \
-e "s/^host=.*$/host=ds.example.com/" \
-e "s/^port=.*$/port=3389/" \
-e "s/^binddn=.*$/binddn=cn=Directory Manager/" \
-e "s/^bindpw=.*$/bindpw=Secret.123/" \
-e "s/^pinmanager=.*$/pinmanager=uid=pinmanager,dc=example,dc=com/" \
-e "s/^pinmanagerpwd=.*$/pinmanagerpwd=Secret.123/" \
-e "s/^basedn=.*$/basedn=ou=people,dc=example,dc=com/" \
/usr/share/pki/tools/setpin.conf > setpin.conf
$ setpin optfile=setpin.conf
Use setpin to generate PINs for all users:
$ sed -i "/^setup=/d" setpin.conf
$ setpin \
filter="(objectClass=person)" \
optfile=setpin.conf \
output=setpin.out \
write
The PINs will be stored in setpin.out as follows:
dn:uid=testuser,ou=people,dc=example,dc=com pin:GIRbLe status:added
The caDirPinUserCert profile is stored in /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg.
By default the profile is disabled. To enable the profile update the following parameter:
enable=true
By default the certificate will be valid for 180 days. For testing the validity range can be shortened, e.g. to 5 minutes:
policyset.userCertSet.2.default.params.range=5 policyset.userCertSet.2.default.params.rangeUnit=minute
By default the profile is configured with PinDirEnrollment authentication manager:
auth.instance_id=PinDirEnrollment
Add the PinDirEnrollment authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
auths.instance.PinDirEnrollment.pluginName=UidPwdPinDirAuth auths.instance.PinDirEnrollment.ldap.basedn=ou=people,dc=example,dc=com auths.instance.PinDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.PinDirEnrollment.ldap.ldapconn.host=ds.example.com auths.instance.PinDirEnrollment.ldap.ldapconn.port=389
The UidPwdPinDirAuth authentication plugin is already defined in the CS.cfg:
auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication
Finally, restart CA subsystem:
$ pki-server ca-redeploy --wait
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |