Hi all,
I assumed that all certificates for FreeIPA were stored in the integrated DogTag server, but someone said that the certificates stored for an individual account are stored in an NSS database. Is this correct? It seems weird to me, but I just wanted to check.
Thanks,
Scott
Scott Reed via FreeIPA-users wrote:
Hi all,
I assumed that all certificates for FreeIPA were stored in the integrated DogTag server, but someone said that the certificates stored for an individual account are stored in an NSS database. Is this correct? It seems weird to me, but I just wanted to check.
It isn't that simple.
Dogtag as the CA contains all of the certificates it issued. It uses LDAP as its backed. This contains only public keys.
For its own operational certificates it uses an NSS database. This only contains the 5 or 6 certificates needed by the CA (ocsp cert, audit cert, etc).
Beyond that the CA doesn't control were the private keys are stored (NSS or flat file PEM for example).
In an current IPA server the storage format varies by server. Apache uses PEM files, 389-ds uses an NSS database, the PKINIT certificate is PEM and the RA agent (used to talk to the CA) is also a set of PEM files.
Is there a reason for the question or just curiosity?
rob
Yes, I'm researching how FreeIPA handles the certificates and keys.
What about the certificates for 2 factor authentication? You place the certificate in the user account. Is that stored in an NSS database as well?
Thanks,
Scott
Scott Reed via FreeIPA-users wrote:
Yes, I'm researching how FreeIPA handles the certificates and keys.
What about the certificates for 2 factor authentication? You place the certificate in the user account. Is that stored in an NSS database as well?
cert as a second factor?
Anyway, IPA (dogtag) does not store private keys, only public ones. The private key storage location is up to the user.
If a user wants to store your keys in their own NSS database then great, the user manages that, but it isn't mandatory. You would never want them stored in a database used by IPA (as key access is required).
So IPA uses several NSS databases for its own key storage. These are not intended for general purpose use.
rob
freeipa-users@lists.fedorahosted.org