Using ipa-getcert -U id-kp-serverAuth as shown in documentation, the certificate is created with EKU for both "TLS Web Server Authentication" and "TLS Web Client Authentication". OpenVPN, for example, is one application that suggests setting the server's certificate to only specify "TLS Web Server Authentication": http://openvpn.net/index.php/open-source/documentation/howto.html#mitm
With the current /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg and ipa-getcert, it doesn't seem possible to override the default for specific cases, though the -U option to ipa-getcert seems to indicate that specific EKU's can be requested.
After a brief IRC discussion with simo, rcrit, and awnuk, it was suggested that I open a ticket for this capability.
In short, I'd like to be able to accomplish what is outlined in http://openvpn.net/index.php/open-source/documentation/howto.html#mitm in the bulleted section "OpenVPN 2.1 and above". Thanks.
This will be possible when IPA would support multiple certificate profiles.
attachment pki-ftweedal-0002-Add-EKU-constraint-to-all-relevant-profiles.patch
attachment pki-ftweedal-0003-Copy-Extended-Key-Usage-from-CSR-when-present.patch
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1200694 (Red Hat Enterprise Linux 7)
Not required for GA.
This can now be achieved with different (custom) profiles.
Whilst that is not what is specifically asked for in the ticket, accepting user-specified (in CSR) EKU in default profile would require creating a new Dogtag profile policy default that does something along the lines of:
And the default profile would have to be updated to use this new component.
I think specifying a profile with the exact EKU that is appropriate for a given use case is the most sensible approach (and it is now supported). Therefore I propose closing this ticket and, if necessary, updating guides and documentation that refer to getcert '-U' option to indicate that this is not the intended way to get a particular EKU with FreeIPA.
Closing WONTFIX per above comments and lack of objections.
Feel free to reopen the discussion if custom profiles don't meet a particular use case involving EKU.
Metadata Update from @amessina: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4 Backlog
Login to comment on this ticket.