Using smart cards with FreeIPA – Part 2

At the end of our last post in this series, we had a user certificate that we loaded onto our smart card.  I didn’t cover how the certificate was actually issued by a certificate authority.  This installment will cover how your certificate may be issued, and how you can associate it with a user in FreeIPA.

Externally issued user certificates

As a first example, let’s assume that we had some external certificate authority that issued our user certificate, not the certificate authority inside of our FreeIPA server.  This fits the use-case where you may already have a certificate or smart card that was issued, which you want to use to authenticate against a service that uses FreeIPA for authentication and identity information.  FreeIPA 4.2 now allows you to associate existing certificates with user entries.

Let’s assume we have a user in our FreeIPA server that we want to associate with the certificate we have on out smart card.  Our example user looks like this:

[fedora@fedora ~]$ ipa user-show suser
  User login: suser
  First name: Some
  Last name: User
  Home directory: /home/suser
  Login shell: /bin/sh
  Email address: suser@example.test
  UID: 294800003
  GID: 294800003
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

The ‘ipa’ utility now has a ‘user-add-cert’ command that allows adding certificates to our user entry.  The certificate needs to be provided in base-64 encoded DER format.  It is quite common to have your certificates in PEM format, which is really just base-64 encoded DER with line-wrapping and a header/footer.  We can use the ‘openssl’ utility to easily convert our PEM file to bsae-64 encoded DER.  We can convert the certificate and add it to our user entry at the same time like so:

[fedora@fedora ~]$ ipa user-add-cert suser --certificate=$(openssl x509 -in ~/card1.pem -outform DER | base64 -w 0)
----------------------------------
Added certificates to user "suser"
----------------------------------
  User login: suser
  Certificate: MIIC2zCCAcMCAQwwDQYJKoZIhvcNAQEFBQAwbjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGDAWBgNVBAoMD05HS3MgQ2VydCBTaGFjazEYMBYGA1UEAwwPTkdLcyBDZXJ0IFNoYWNrMB4XDTE1MDczMTAzMDI1NloXDTE2MDczMDAzMDI1NlowfTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEWMBQGA1UEAwwNTmF0aGFuIEtpbmRlcjEhMB8GCSqGSIb3DQEJARYSbmtpbmRlckByZWRoYXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCpXhGFgOA/0GGWZItFa5buhTB/go7pPfBGCRvn515fwQqgIWjB5G7qZUtKt8BygY/W52hrObCgx3pwNmYyI4hC+lt4L2zC60kAbqnwGifF0qTQFWqEPwuF4LxJT9ra41uFM4P30d/SGFi5e9DmfV8AEhj2FRljle7ZrCzEVDgVQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCO1kKBM9E+E10vq/aG4GGdpMZj592zuk2Z/VOh8TKx9365bEpcO1szD0Zaoni9roUTKFERSOQdQ85rDHnTelnhHOU1EI+nz2DOkCjJgG95GRgU3/MsbAOMWONAzD4y1zp8VDZm0GcqjaP0UrEwqzGnV239/8PvkxUt10woIDLOpPXqgXdaUByCMYKjwSJpKAhH3e3JE9G+0kVb/9uO19q73q7wN42+dbuUqLytukiXP0cyUo+iraTUk+UwqbP6kfosybR2irAiWYcGaxAmGTwjsFHHccFp87t54M9GJtT3bnu1mpoqFgnkASRbkSmPjHSsamX5j3Jmkno0he8/aR1S

Our externally issued certificate is now associated with our user in FreeIPA.  We’ll get into how this certificate can be used in the next installment.

Issuing user certificates from FreeIPA

Let’s consider the use-case where you don’t already have a user certificate or smart card, but you want to use the certificate authority in your FreeIPA server to issue one.

FreeIPA 4.2 added the ability to create custom certificate profiles, which allow different types of certificates to be issued by it’s certificate authority.  Fraser Tweedale recently wrote a blog post that describes these new capabilities work here:

https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/

Fraser’s post provides quite a bit of detail on how this new functionality can be used, which I won’t repeat here.  In Fraser’s example, he created a certificate profile for S/MIME encryption.  In our example, we’re going to create a profile that is intended to be used as an identity cert (client authentication and signing).  For non-repudiation reasons, it’s ideal to generate your private key for signing on a smart card, as smart cards are designed to not allow your private key to ever be extracted.  If your card is lost or damaged, you can simply get a new card, generate new keys, and get a new signing certificate.

You could generate private keys on a smart card for an encryption certificate, like the certificates that would be issued from Fraser’s S/MIME profile.  You have to be careful in this case though, as there is no way to back up your private key.  If you lose or damage your smart card, you would not be able to decrypt any of your data that is protected by that key.  For this reason, it’s  a better idea to generate an encryption private key  on a secure system, then write it to your smart card.  You can then back up your private key somewhere secure (like a thumbdrive locked in a safe).

To create our signing certificate profile, we’ll first export a copy of FreeIPA’s service certificate profile so we can modify it to suite our use-case:

[fedora@fedora ~]$ ipa certprofile-show --out clientIdentity.cfg caIPAserviceCert
-------------------------------------------------------
Profile configuration stored in file 'clientIdentity.cfg'
-------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

We need to modify the profile to specify that our certificate will be valid only for signing and client authentication.  This is done by setting the ‘digitalSignature’ flag in the key usage extension, and the ‘TLS WWW client authentication’ OID (1.3.6.1.5.5.7.3.2) in the extended key usage extension.  We will remove all other key usage values.  We also provide a unique profile ID and update the name and description to match the use-case for our new profile.  Here is a diff showing what needs to be modified from FreeIPA’s service certificate profile:

--- orig.cfg    2015-08-14 08:33:06.169655239 -0700
+++ clientIdentity.cfg    2015-08-14 14:13:09.561942477 -0700
@@ -3 +3 @@
-desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+desc=This certificate profile is for enrolling client identity certificates with IPA-RA agent authentication.
@@ -9 +9 @@
-name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+name=IPA-RA Agent-Authenticated Client Identity Certificate Enrollment
@@ -63 +63 @@
-policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=false
@@ -69,2 +69,2 @@
-policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
@@ -75 +75 @@
-policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=false
@@ -81,2 +81,2 @@
-policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
@@ -88 +88 @@
-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
@@ -108 +108 @@
-profileId=caIPAserviceCert
+profileId=clientIdentity

As our FreeIPA admin user, we now import our newly created profile.  We add the ‘–store TRUE’ option so issued certificates are automatically added to their associated user entries:

[fedora@fedora ~]$ ipa certprofile-import clientIdentity --file ./clientIdentity.cfg --desc "Client identity certificates" --store TRUE
---------------------------------
Imported profile "clientIdentity"
---------------------------------
  Profile ID: clientIdentity
  Profile description: Client identity certificates
  Store issued certificates: TRUE

We want to allow any of our users defined in FreeIPA to self-enroll for their own identity certificate.  To do this, we will define a CA ACL rule to allow users in the ‘ipausers’ group to use our new certificate profile:

[fedora@fedora ~]$ ipa caacl-add clientIdentity_acl
---------------------------------
Added CA ACL "clientIdentity_acl"
---------------------------------
  ACL name: clientIdentity_acl
  Enabled: TRUE
[fedora@fedora ~]$ ipa caacl-add-user clientIdentity_acl --group ipausers
  ACL name: clientIdentity_acl
  Enabled: TRUE
  User Groups: ipausers
-------------------------
Number of members added 1
-------------------------
[fedora@fedora ~]$ ipa caacl-add-profile clientIdentity_acl --certprofile clientIdentity
  ACL name: clientIdentity_acl
  Enabled: TRUE
  Profiles: clientIdentity
  User Groups: ipausers
-------------------------
Number of members added 1
-------------------------

We are now ready to use our new profile to issue a user certificate!  There are a few things to be aware of first though.  We are allowing users to self-enroll for their certificates, but we don’t want to blindly sign any certificate signing request that they provide.  FreeIPA will validate that the ‘CN’ in the certificate subject matches the ‘uid’ of the user it is being associated with.  If an e-mail address is supplied in the ‘Subject Alternative Name’ in the certificate signing request, validation is performed to ensure that the specified e-mail address exists in the user entry in FreeIPA.

For this example, we will use the following user from our FreeIPA sever:

[fedora@fedora ~]$ ipa user-show nkinder
  User login: nkinder
  First name: Nathan
  Last name: Kinder
  Home directory: /home/nkinder
  Login shell: /bin/sh
  Email address: nkinder@example.test
  UID: 294800005
  GID: 294800005
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

We start with another blank Athena ASECard Crypto smart card in this example.  We use ‘pkcs15-init’ utility to perform the exact same ‘–create-pkcs15′, –store-pin’, and ‘–generate-key’ commands that we use in part 1 of this blog series.  Like before, we use the ‘openssl’ utility to generate our certificate signing request.  This time, we want to include the ‘subjectAltName’, extension, which isn’t easily passed on the ‘openssl’ command line.  Instead, we create a request config file and are careful to make sure that the ‘commonName’ matches our user login, and the e-mail address in the ‘subjectAltName’ extension matches the e-mail address of our user in FreeIPA:

[nkinder@localhost ~]$ cat ~/card2.conf 
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "nkinder"

[ exts ]
subjectAltName=email:nkinder@example.test

We then generate the certificate signing request using this config file like so:

[nkinder@localhost ~]$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib64/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib64/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -new -key slot_1-id_b76e842c842f31de40401b9302e5cc6c16b0156b -keyform engine -out /home/nkinder/card2.req -text -config /home/nkinder/card2.conf
engine "pkcs11" set.
PKCS#11 token PIN: 
OpenSSL>

We now have our certificate signing request, which can can submit to FreeIPA.  Here is what our request looks like:

[nkinder@localhost ~]$ openssl req < /home/nkinder/card2.req -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=nkinder
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d3:6f:8f:5f:53:e8:11:58:2e:cd:be:d7:d2:1c:
                    aa:6a:f7:90:3d:24:35:c7:d2:d3:04:f6:de:fb:2a:
                    9b:bc:95:87:a1:4c:02:76:30:cb:c7:10:d9:6f:ce:
                    df:c8:8d:c1:bc:08:20:1d:b7:81:61:31:ae:2c:e3:
                    f6:e0:98:c9:38:e5:2b:b0:fc:1e:e7:e5:8c:66:4b:
                    0b:97:2c:ba:52:60:64:a8:66:9c:ef:29:fb:73:9f:
                    88:ac:e5:dd:af:1f:61:3b:78:37:6d:1c:cf:b1:48:
                    52:2a:49:e9:88:78:f9:e8:8f:18:01:7d:bd:b3:94:
                    b1:ee:85:9c:da:32:36:94:8b
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                email:nkinder@example.test
    Signature Algorithm: sha1WithRSAEncryption
         19:04:2a:00:71:b6:f6:0c:04:cc:f7:9a:e0:d8:ab:9c:6a:e9:
         11:22:27:16:e7:1b:78:92:78:b8:cc:24:61:9f:71:e9:43:bb:
         f2:08:1c:0f:6e:ad:6a:29:d0:37:a2:a6:d9:ec:04:19:58:e2:
         e9:e9:8d:06:d2:db:ca:6d:c9:54:b1:ca:58:82:80:87:23:37:
         c8:8e:69:d3:6f:c0:2c:84:e2:4d:89:4a:d0:d3:37:6a:5f:c0:
         00:6d:e4:24:22:f2:2e:0a:90:a5:48:15:d1:12:71:05:e1:1e:
         7f:85:e9:e8:74:df:75:ed:0e:65:2e:4b:e3:ae:66:88:9f:bc:
         07:10
-----BEGIN CERTIFICATE REQUEST-----
MIIBgzCB7QIBADASMRAwDgYDVQQDEwdua2luZGVyMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDTb49fU+gRWC7NvtfSHKpq95A9JDXH0tME9t77Kpu8lYehTAJ2
MMvHENlvzt/IjcG8CCAdt4FhMa4s4/bgmMk45Suw/B7n5YxmSwuXLLpSYGSoZpzv
Kftzn4is5d2vH2E7eDdtHM+xSFIqSemIePnojxgBfb2zlLHuhZzaMjaUiwIDAQAB
oDIwMAYJKoZIhvcNAQkOMSMwITAfBgNVHREEGDAWgRRua2luZGVyQGV4YW1wbGUu
dGVzdDANBgkqhkiG9w0BAQUFAAOBgQAZBCoAcbb2DATM95rg2KucaukRIicW5xt4
kni4zCRhn3HpQ7vyCBwPbq1qKdA3oqbZ7AQZWOLp6Y0G0tvKbclUscpYgoCHIzfI
jmnTb8AshOJNiUrQ0zdqX8AAbeQkIvIuCpClSBXREnEF4R5/henodN917Q5lLkvj
rmaIn7wHEA==
-----END CERTIFICATE REQUEST-----

As our FreeIPA admin user, we submit our certificate signing request and specify that our new profile should be used.  We also need to specify the principal of the user that this certificate is associated with:

[fedora@fedora ~]$ kinit admin
Password for admin@EXAMPLE.TEST:
[fedora@fedora ~]$ ipa cert-request ~/card2.req --principal nkinder --profile-id clientIdentity
  Certificate: MIIDnDCCAoSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA4MTkyMzA0MzJaFw0xNzA4MTkyMzA0MzJaMCkxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDEQMA4GA1UEAwwHbmtpbmRlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA02+PX1PoEVguzb7X0hyqaveQPSQ1x9LTBPbe+yqbvJWHoUwCdjDLxxDZb87fyI3BvAggHbeBYTGuLOP24JjJOOUrsPwe5+WMZksLlyy6UmBkqGac7yn7c5+IrOXdrx9hO3g3bRzPsUhSKknpiHj56I8YAX29s5Sx7oWc2jI2lIsCAwEAAaOCAUMwggE/MB8GA1UdIwQYMBaAFIIgZZXCHm9eiZpAyQkTfw0SyRWUMD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwdwYDVR0fBHAwbjBsoDSgMoYwaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBR7tMFeYf2rJ+E8sh4hEhg33AQwQzAfBgNVHREEGDAWgRRua2luZGVyQGV4YW1wbGUudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAh4xuMOvmkPdM9k7CWyXzMxYSYUBeyMScQZKPzaJkIqt5mzDdeW7jqDNtw7tGat7zU58NMCZziKycaezFvoFJkw3o7STUTLxoYMNye5v2uyY3GQOUyfnvQaHTce8BT0tdFK+rEin6h8SFaNKnOFnS83O6Vz/kG48pxZQiuwUSQ6KvjF6LH0DXidV1lwZlinbOB22ZR1IicjiEJlzIbkS2NalBKtaZzAC/cMovpIDi1Rs1d7lJeM6q7ez09Zg/EP/CySewxtb8zbEpYc9SsFgkpT/GSEWi31mnWA8pfugQwY5DlWyP8tfSS4FiTlzc/C3sZZBkrBblrG76vduEPhoH/Q==
  Subject: CN=nkinder,O=EXAMPLE.TEST
  Issuer: CN=Certificate Authority,O=EXAMPLE.TEST
  Not Before: Wed Aug 19 23:04:32 2015 UTC
  Not After: Sat Aug 19 23:04:32 2017 UTC
  Fingerprint (MD5): f2:72:57:31:b9:b4:02:5c:44:fb:b8:19:5b:fc:da:4a
  Fingerprint (SHA1): c2:3d:21:8d:ff:39:62:bb:f1:ed:87:15:5e:79:6b:4c:0b:04:65:15
  Serial number: 11
  Serial number (hex): 0xB

Our certificate was successfully issued!  Note that if the administrator attempted to submit this request for the wrong user, the request would be rejected:

[fedora@fedora ~]$ ipa cert-request ~/card2.req --principal auser --profile-id clientIdentity
ipa: ERROR: invalid 'csr': DN commonName does not match user's login

You may have noticed that we used our admin user to submit the certificate signing request.  This is currently a privileged operation in FreeIPA.  It would be desirable to have a way to self-enroll for a certificate and cut out the need for an admin to have to submit every single user request.  This is a nice potential enhancement for future FreeIPA versions.

Edit:  This has recently been fixed to allow for self-registration (see https://fedorahosted.org/freeipa/ticket/5190 for details).  Previously, requesting a certificate using the ‘subjectAltName’ was a restricted operation, but this will now be allowed in FreeIPA 4.2.1.  The result is that a user can request their own certificate as shown in the following example:

[fedora@fedora ~]$ klist
Ticket cache: KEYRING:persistent:1000:krb_ccache_9gsr1Ip
Default principal: nkinder@EXAMPLE.TEST

Valid starting       Expires              Service principal
08/20/2015 17:22:18  08/21/2015 17:22:13  HTTP/fedora.example.test@EXAMPLE.TEST
08/20/2015 17:22:16  08/21/2015 17:22:13  krbtgt/EXAMPLE.TEST@EXAMPLE.TEST
[fedora@fedora ~]$ ipa cert-request ~/card2.req --principal nkinder --profile-id clientIdentity
  Certificate: MIIDnDCCAoSgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA4MjEwMzM2MThaFw0xNzA4MjEwMzM2MThaMCkxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDEQMA4GA1UEAwwHbmtpbmRlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA02+PX1PoEVguzb7X0hyqaveQPSQ1x9LTBPbe+yqbvJWHoUwCdjDLxxDZb87fyI3BvAggHbeBYTGuLOP24JjJOOUrsPwe5+WMZksLlyy6UmBkqGac7yn7c5+IrOXdrx9hO3g3bRzPsUhSKknpiHj56I8YAX29s5Sx7oWc2jI2lIsCAwEAAaOCAUMwggE/MB8GA1UdIwQYMBaAFIIgZZXCHm9eiZpAyQkTfw0SyRWUMD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwdwYDVR0fBHAwbjBsoDSgMoYwaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBR7tMFeYf2rJ+E8sh4hEhg33AQwQzAfBgNVHREEGDAWgRRua2luZGVyQGV4YW1wbGUudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAsVNFLlaAHxoBi0qKGeyzghfZDV3sm+/Y4ytfSm+Pk28JCJiLxtCn8+qo+Ir/vV9e335CbEDvuJyBXRRrdJe0XsnspTFJIIdnAu/GJepU6GMUfyC1BY3EBsow0vZdPw3OWURiXawSCon6SMnjz33gLbK06WvV5H2Eb1wPwbxBHwbA3I95upc5Z5pk1UgimNlrwcOrLtbDVcg+PCCWX+/qcwW8ydxtdDwx8ea5fhqUWn9wsSqg2OBYMILCqY6ZNt+bc7+ZF6rSBdJrZmrc3oQi0pRO5D9xcb0UxOGzdMGdxGf1hpQEFW5uShfUkKf3q05/sDEF87dmnQcS803A00pi4w==
  Subject: CN=nkinder,O=EXAMPLE.TEST
  Issuer: CN=Certificate Authority,O=EXAMPLE.TEST
  Not Before: Fri Aug 21 03:36:18 2015 UTC
  Not After: Mon Aug 21 03:36:18 2017 UTC
  Fingerprint (MD5): 38:1c:ee:8e:09:9d:a1:66:c8:83:f7:0b:2e:23:24:0e
  Fingerprint (SHA1): 60:93:c7:d0:e1:a6:0d:c0:08:d8:d7:ce:ad:ff:02:20:3d:c2:c9:1b
  Serial number: 12
  Serial number (hex): 0xC

A user can retrieve their own certificate by displaying themselves in the FreeIPA UI, or by showing their entry via the ‘ipa’ CLI:

[fedora@fedora ~]$ kinit nkinder
Password for nkinder@EXAMPLE.TEST: 
[fedora@fedora ~]$ ipa user-show nkinder
  User login: nkinder
  First name: Nathan
  Last name: Kinder
  Home directory: /home/nkinder
  Login shell: /bin/sh
  Email address: nkinder@example.test
  UID: 294800005
  GID: 294800005
  Certificate: MIIDnDCCAoSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA4MTkyMzA0MzJaFw0xNzA4MTkyMzA0MzJaMCkxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDEQMA4GA1UEAwwHbmtpbmRlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA02+PX1PoEVguzb7X0hyqaveQPSQ1x9LTBPbe+yqbvJWHoUwCdjDLxxDZb87fyI3BvAggHbeBYTGuLOP24JjJOOUrsPwe5+WMZksLlyy6UmBkqGac7yn7c5+IrOXdrx9hO3g3bRzPsUhSKknpiHj56I8YAX29s5Sx7oWc2jI2lIsCAwEAAaOCAUMwggE/MB8GA1UdIwQYMBaAFIIgZZXCHm9eiZpAyQkTfw0SyRWUMD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwdwYDVR0fBHAwbjBsoDSgMoYwaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBR7tMFeYf2rJ+E8sh4hEhg33AQwQzAfBgNVHREEGDAWgRRua2luZGVyQGV4YW1wbGUudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAh4xuMOvmkPdM9k7CWyXzMxYSYUBeyMScQZKPzaJkIqt5mzDdeW7jqDNtw7tGat7zU58NMCZziKycaezFvoFJkw3o7STUTLxoYMNye5v2uyY3GQOUyfnvQaHTce8BT0tdFK+rEin6h8SFaNKnOFnS83O6Vz/kG48pxZQiuwUSQ6KvjF6LH0DXidV1lwZlinbOB22ZR1IicjiEJlzIbkS2NalBKtaZzAC/cMovpIDi1Rs1d7lJeM6q7ez09Zg/EP/CySewxtb8zbEpYc9SsFgkpT/GSEWi31mnWA8pfugQwY5DlWyP8tfSS4FiTlzc/C3sZZBkrBblrG76vduEPhoH/Q==
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

The certificate is supplied in base-64 encoded DER format, and it’s not possible to have the ‘ipa’ CLI simply supply the certificate value by itself.    We need the certificate in PEM format so we can put it on our smart card using the ‘pkcs15-init’ utility.  We can retrieve and convert the certificate in one shot with this hideous command-line:

[fedora@fedora ~]$ ipa user-show --raw nkinder | grep '^  usercertificate' | sed -e 's/^  usercertificate: //' | base64 -d | openssl x509 -inform DER -outform PEM -out ~/card2.pem
[fedora@fedora ~]$ cat ~/card2.pem 
-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFN
UExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA4
MTkyMzA0MzJaFw0xNzA4MTkyMzA0MzJaMCkxFTATBgNVBAoMDEVYQU1QTEUuVEVT
VDEQMA4GA1UEAwwHbmtpbmRlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
02+PX1PoEVguzb7X0hyqaveQPSQ1x9LTBPbe+yqbvJWHoUwCdjDLxxDZb87fyI3B
vAggHbeBYTGuLOP24JjJOOUrsPwe5+WMZksLlyy6UmBkqGac7yn7c5+IrOXdrx9h
O3g3bRzPsUhSKknpiHj56I8YAX29s5Sx7oWc2jI2lIsCAwEAAaOCAUMwggE/MB8G
A1UdIwQYMBaAFIIgZZXCHm9eiZpAyQkTfw0SyRWUMD4GCCsGAQUFBwEBBDIwMDAu
BggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvY2Evb2NzcDAO
BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwdwYDVR0fBHAwbjBs
oDSgMoYwaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvaXBhL2NybC9NYXN0ZXJD
UkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MB0GA1UdDgQWBBR7tMFeYf2rJ+E8sh4hEhg33AQwQzAfBgNV
HREEGDAWgRRua2luZGVyQGV4YW1wbGUudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEA
h4xuMOvmkPdM9k7CWyXzMxYSYUBeyMScQZKPzaJkIqt5mzDdeW7jqDNtw7tGat7z
U58NMCZziKycaezFvoFJkw3o7STUTLxoYMNye5v2uyY3GQOUyfnvQaHTce8BT0td
FK+rEin6h8SFaNKnOFnS83O6Vz/kG48pxZQiuwUSQ6KvjF6LH0DXidV1lwZlinbO
B22ZR1IicjiEJlzIbkS2NalBKtaZzAC/cMovpIDi1Rs1d7lJeM6q7ez09Zg/EP/C
ySewxtb8zbEpYc9SsFgkpT/GSEWi31mnWA8pfugQwY5DlWyP8tfSS4FiTlzc/C3s
ZZBkrBblrG76vduEPhoH/Q==
-----END CERTIFICATE-----

Now that we have our certificate that was issued by our FreeIPA server, we can push it onto our smart card the same way we did this in the previous blog post:

[nkinder@localhost ~]$ pkcs15-init --store-certificate ~/card2.pem --auth-id 01 --id b76e842c842f31de40401b9302e5cc6c16b0156b --format pem
Using reader with a card: OMNIKEY AG CardMan 3121 00 00
Security officer PIN [Security Officer PIN] required.
Please enter Security officer PIN [Security Officer PIN]: 
User PIN [Nathan Kinder] required.
Please enter User PIN [Nathan Kinder]: 
[nkinder@localhost ~]$ pkcs15-tool --list-certificates
Using reader with a card: OMNIKEY AG CardMan 3121 00 00
X.509 Certificate [Certificate]
    Object Flags   : [0x2], modifiable
    Authority      : no
    Path           : 3f0050153104
    ID             : b76e842c842f31de40401b9302e5cc6c16b0156b
    GUID           : {37ea4ba1-a216-762e-a3aa-f75db9836596}
    Encoded serial : 02 01 0B
[nkinder@localhost ~]$ pkcs15-tool --read-certificate b76e842c842f31de40401b9302e5cc6c16b0156b
Using reader with a card: OMNIKEY AG CardMan 3121 00 00
-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFN
UExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA4
MTkyMzA0MzJaFw0xNzA4MTkyMzA0MzJaMCkxFTATBgNVBAoMDEVYQU1QTEUuVEVT
VDEQMA4GA1UEAwwHbmtpbmRlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
02+PX1PoEVguzb7X0hyqaveQPSQ1x9LTBPbe+yqbvJWHoUwCdjDLxxDZb87fyI3B
vAggHbeBYTGuLOP24JjJOOUrsPwe5+WMZksLlyy6UmBkqGac7yn7c5+IrOXdrx9h
O3g3bRzPsUhSKknpiHj56I8YAX29s5Sx7oWc2jI2lIsCAwEAAaOCAUMwggE/MB8G
A1UdIwQYMBaAFIIgZZXCHm9eiZpAyQkTfw0SyRWUMD4GCCsGAQUFBwEBBDIwMDAu
BggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvY2Evb2NzcDAO
BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwdwYDVR0fBHAwbjBs
oDSgMoYwaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvaXBhL2NybC9NYXN0ZXJD
UkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MB0GA1UdDgQWBBR7tMFeYf2rJ+E8sh4hEhg33AQwQzAfBgNV
HREEGDAWgRRua2luZGVyQGV4YW1wbGUudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEA
h4xuMOvmkPdM9k7CWyXzMxYSYUBeyMScQZKPzaJkIqt5mzDdeW7jqDNtw7tGat7z
U58NMCZziKycaezFvoFJkw3o7STUTLxoYMNye5v2uyY3GQOUyfnvQaHTce8BT0td
FK+rEin6h8SFaNKnOFnS83O6Vz/kG48pxZQiuwUSQ6KvjF6LH0DXidV1lwZlinbO
B22ZR1IicjiEJlzIbkS2NalBKtaZzAC/cMovpIDi1Rs1d7lJeM6q7ez09Zg/EP/C
ySewxtb8zbEpYc9SsFgkpT/GSEWi31mnWA8pfugQwY5DlWyP8tfSS4FiTlzc/C3s
ZZBkrBblrG76vduEPhoH/Q==
-----END CERTIFICATE-----

Edit:  Improvements have been made to allow the ‘ipa user-show’ command to output user certificates in PEM format using the new ‘–out’ option (see https://fedorahosted.org/freeipa/ticket/5171 for details).  This new functionality will be available in FreeIPA 4.2.1.  Here is an example of the new option in use:

[fedora@fedora ~]$ ipa user-show --help
Usage: ipa [global-options] user-show LOGIN [options]

Display information about a user.
Options:
  -h, --help  show this help message and exit
  --rights    Display the access rights of this entry (requires --all). See
              ipa man page for details.
  --out=STR   file to store certificate in
  --all       Retrieve and print all attributes from the server. Affects
              command output.
  --raw       Print entries as stored on the server. Only affects output
              format.
[fedora@fedora ~]$ ipa user-show nkinder --out=/home/fedora/file.pem
-----------------------------------------------------
Certificate(s) stored in file '/home/fedora/file.pem'
-----------------------------------------------------
  User login: nkinder
  First name: Nathan
  Last name: Kinder
  Home directory: /home/nkinder
  Login shell: /bin/sh
  Email address: nkinder@example.test
  UID: 294800005
  GID: 294800005
  Certificate: MIIDnDCCAoSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFNUExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA4MTkyMzA0MzJaFw0xNzA4MTkyMzA0MzJaMCkxFTATBgNVBAoMDEVYQU1QTEUuVEVTVDEQMA4GA1UEAwwHbmtpbmRlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA02+PX1PoEVguzb7X0hyqaveQPSQ1x9LTBPbe+yqbvJWHoUwCdjDLxxDZb87fyI3BvAggHbeBYTGuLOP24JjJOOUrsPwe5+WMZksLlyy6UmBkqGac7yn7c5+IrOXdrx9hO3g3bRzPsUhSKknpiHj56I8YAX29s5Sx7oWc2jI2lIsCAwEAAaOCAUMwggE/MB8GA1UdIwQYMBaAFIIgZZXCHm9eiZpAyQkTfw0SyRWUMD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwdwYDVR0fBHAwbjBsoDSgMoYwaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBR7tMFeYf2rJ+E8sh4hEhg33AQwQzAfBgNVHREEGDAWgRRua2luZGVyQGV4YW1wbGUudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAh4xuMOvmkPdM9k7CWyXzMxYSYUBeyMScQZKPzaJkIqt5mzDdeW7jqDNtw7tGat7zU58NMCZziKycaezFvoFJkw3o7STUTLxoYMNye5v2uyY3GQOUyfnvQaHTce8BT0tdFK+rEin6h8SFaNKnOFnS83O6Vz/kG48pxZQiuwUSQ6KvjF6LH0DXidV1lwZlinbOB22ZR1IicjiEJlzIbkS2NalBKtaZzAC/cMovpIDi1Rs1d7lJeM6q7ez09Zg/EP/CySewxtb8zbEpYc9SsFgkpT/GSEWi31mnWA8pfugQwY5DlWyP8tfSS4FiTlzc/C3sZZBkrBblrG76vduEPhoH/Q==
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[fedora@fedora ~]$ cat /home/fedora/file.pem 
-----BEGIN CERTIFICATE-----
MIIDnDCCAoSgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxFWEFN
UExFLlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA4
MTkyMzA0MzJaFw0xNzA4MTkyMzA0MzJaMCkxFTATBgNVBAoMDEVYQU1QTEUuVEVT
VDEQMA4GA1UEAwwHbmtpbmRlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
02+PX1PoEVguzb7X0hyqaveQPSQ1x9LTBPbe+yqbvJWHoUwCdjDLxxDZb87fyI3B
vAggHbeBYTGuLOP24JjJOOUrsPwe5+WMZksLlyy6UmBkqGac7yn7c5+IrOXdrx9h
O3g3bRzPsUhSKknpiHj56I8YAX29s5Sx7oWc2jI2lIsCAwEAAaOCAUMwggE/MB8G
A1UdIwQYMBaAFIIgZZXCHm9eiZpAyQkTfw0SyRWUMD4GCCsGAQUFBwEBBDIwMDAu
BggrBgEFBQcwAYYiaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvY2Evb2NzcDAO
BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwdwYDVR0fBHAwbjBs
oDSgMoYwaHR0cDovL2lwYS1jYS5leGFtcGxlLnRlc3QvaXBhL2NybC9NYXN0ZXJD
UkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNh
dGUgQXV0aG9yaXR5MB0GA1UdDgQWBBR7tMFeYf2rJ+E8sh4hEhg33AQwQzAfBgNV
HREEGDAWgRRua2luZGVyQGV4YW1wbGUudGVzdDANBgkqhkiG9w0BAQsFAAOCAQEA
h4xuMOvmkPdM9k7CWyXzMxYSYUBeyMScQZKPzaJkIqt5mzDdeW7jqDNtw7tGat7z
U58NMCZziKycaezFvoFJkw3o7STUTLxoYMNye5v2uyY3GQOUyfnvQaHTce8BT0td
FK+rEin6h8SFaNKnOFnS83O6Vz/kG48pxZQiuwUSQ6KvjF6LH0DXidV1lwZlinbO
B22ZR1IicjiEJlzIbkS2NalBKtaZzAC/cMovpIDi1Rs1d7lJeM6q7ez09Zg/EP/C
ySewxtb8zbEpYc9SsFgkpT/GSEWi31mnWA8pfugQwY5DlWyP8tfSS4FiTlzc/C3s
ZZBkrBblrG76vduEPhoH/Q==
-----END CERTIFICATE-----

We now have our smart card fully provisioned with a user certificate issued from our FreeIPA server!  In the next blog post, we’ll show how this smart card can be used for authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>