Using Privacyidea with FreeIPA - SSL certificates for PI

Jochen Hein <@Jochen_Hein> writes:

[ This mail sets the stage for more parts, which will get into technical
details. Comments or suggestions are welcome, possibly we should add
refined texts in the relevant wikis/documentations. - Jochen ]

== Get SSL certificate from IPA ==

Maintaining a local CA is cumbersome, certificates need to be
refreshed in regular intervals, and the CA certificate needs to be
available on all systems. And you need to chosse ciphers and other
parameters wisely (I didn’t, so chrome complains about my local

We need a couple of certificates anyway, so using some help is wise.
We need:

  • SSL certificates for our local servers and services (letsencrypt might
    help, but I prefer my own CA.

  • Certificates for user authentification for OpenVPN or OpenConnect.

Privacyidea has an option to connect to an external CA, but FreeIPA
has a well integrated and usable CA. We can get certificates for each
IPA-enrolled server, service, or user. The CA certificate is already
on each enrolled client, and the best of all: certmonger will refresh
certificates before they expire.

So, let’s get a certificate from IPA for privacyidea. First we need
to add a service principal to IPA, which will own the certificate:

ipa service-add HTTP/

Next we add a scipt to the privacyidea host to enable restarts after
the certificates have been refreshed
(e.g. /root/

chmod 600 /etc/ssl/certs/privacyideaserver.pem
chown root:root /etc/ssl/certs/privacyideaserver.pem

chmod 600 /etc/ssl/private/privacyideaserver.key
chown root:root /etc/ssl/private/privacyideaserver.key

systemctl restart apache2.service

And now we are ready to request a certificate vom IPA:

ipa-getcert request -f /etc/ssl/certs/privacyideaserver.pem
-k /etc/ssl/private/privacyideaserver.key
-N “CN=$(hostname --fqdn)” -D $(hostname)
-K HTTP/$(hostname --fqdn)
-C “/root/”

Verify that the status is “MONITORING” with “ipa-getcert list”.

When accessing your privacyidea server from an enrolled client you
should see a green lock and no certificate warnings.

I find that pretty impressive, after having fought with a local CA.–
The only problem with troubleshooting is that the trouble shoots back.