Right now we just disable the keytab on unenroll, we don't revoke the certificates. We should.
https://bugzilla.redhat.com/show_bug.cgi?id=580166
A certificate can be added to a host with something like:
$ ipa host-mod --certificate=MIIDfjCCAmagAwIBAgIBATANBgkqhkiG9w0BAQUFADAuMQwwCgYDVQQKEwNJUEExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMDA2MjQxMjM3MzNaFw0xODA2MjQxMjM3MzNaMC4xDDAKBgNVBAoTA0lQQTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsM8reueFbMrSpJqMFhEM4runoZ3n0wxmSXCUZ7NTD54Y4LGrkzo07+XZHSfPnTwzxJAekaDKnEHyTdp4nvHoECLfO9ri4Z7laahZO1RckqEllwGZBMyKw15430LH4qnm0xgXPzmYaEjnauPCzlI9mHaQKNGLFteV5BP0iN44xXzWWoSi5RKGHgsv3swVaB3mqWBKKcR09SeL+UOfoJF7vbMVLZMHaiJvI9Pt/E0Bd9j7VEwAxNK319yJA1RTZt1xDlnrPbmbDYlAbNJtBhKXs4QM4OOCNtmCWzDgfoN+NJnrpe/1xv4WlGvZq4RKMxt70kQUJOzg7w7wEGTqvW1tawIDAQABo4GmMIGjMB8GA1UdIwQYMBaAFDs2osSYLvz+oTA3JE7ALmGmGAlRMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBQ7NqLEmC78/qEwNyROwC5hphgJUTBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly9saW9uLmdyZXlvYWsuY29tOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAOqVXWZdUU0kBH6UcyQcpMiR95C8tUJLGk2o9df4eB4EEThemJ6yzAGtkTfUoqHI2uSaCnGxRkoIVe6cRBlIPXPkGc4f0yB7WDpQPldToJ1NUaA993j8vZKm643CqssGFqRRnBKlpFjKjNkzqJp+8oF1uKXnEGAl/i5hOQsvLOF0gq6qA7Trv1sp4shHknOx+FV1LH0UNjZMUusnQ9kM+dWawKZLqfSg8JM2euCcP69t7XZYN+nAOTHLNIs7xIOGtN5zGn+3J4Rdi8RonteMf3MUgXxHcQuJPRlKaFiTyzvmA4+/inRHanrQ94LvDJ4R01CG+xE+KgHNIMe2ki9P0uA== test.example.com
revoke cert when host is deleted or disabled freeipa-rcrit-604-host.patch
revoke cert when host is deleted or disabled freeipa-rcrit-604-host.2.patch
When a host is revoked we:
- revoke the host keytab - revoke the host's certificate (if any) - revoke all of the host's services keytabs - revoke all of the host's services certificates
modified: 2046edd
To test:
My IPA server is on host slinky.example.com. I'm doing these commands from there.
# mkdir /etc/nsstmp # certutil -N -d /etc/nsstmp (for simplicity do not set a password) # ipa host-add puma.example.com # ipa host-add-managedby --hosts=slinky puma (say that slinky is allowed to manage puma) # ipa-getkeytab -s slinky -k /tmp/test.kt -p host/puma.example.com # ipa-getcert request -d /etc/nsstmp -n Server-Cert -N "cn=puma.example.com,O=EXAMPLE.COM" -K host/puma.example.com@EXAMPLE.COM Now run this until the cert is in the state MONITORING # ipa-getcert list Just to double check, look at the host, it should have a keytab and a cert: # ipa host-show puma Host name: puma.example.com Certificate: MIICkjCCAfugAwIBAgICBA... Principal name: host/puma.example.com@EXAMPLE.COM Keytab: True Managed by: puma.example.com Subject: CN=puma.example.com,O=EXAMPLE.COM Serial Number: 1029 Issuer: CN=EXAMPLE.COM Certificate Authority Not Before: Thu Nov 18 20:41:16 2010 UTC Not After: Wed Nov 18 20:41:16 2015 UTC Fingerprint (MD5): 2a:f5:47:88:62:93:7f:87:2e:c5:d6:9a:11:df:b3:9d Fingerprint (SHA1): a0:4a:b2:2a:fc:f9:0f:cc:e7:18:30:29:7e:f6:63:75:8a:8d:45:12 Finally we're ready to test if disabling the host revokes/removes the cert too: # ipa host-disable puma --------------------------------------------------------- Removed kerberos key and disabled all services for "puma" --------------------------------------------------------- Verify that the host is disabled and its cert is gone: # ipa host-show puma Host name: puma.example.com Principal name: host/puma.example.com@EXAMPLE.COM Keytab: False Managed by: puma.example.com
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/11
Login to comment on this ticket.