How to set-up FreeIPA in CentOS 7 with a local domain

November 21, 2020November 21, 2020 Sib

Background story: we use FreeIPA at my work and because I’d like to know better about how it all works with Kerberos, LDAP, DNS, etc., I figured my company would like it better if I played with the settings on a home installation rather than on that of our infrastructure. Yes, I know, I’m such a good soul.

The main idea behind this post is that I finally got my local root CA and IPA certificate to play well together today and I wanted to get this down so that 1) I wouldn’t forget the logic behind it, 2) anybody who had issues with this could get this to work.

Requirements:

A machine with CentOS 7 (I can only assume that it would work the exact same way on CentOS 8 but I haven’t tested it)
A funny local domain name (e.g. the-pis.local is mine — don’t even try to understand why, we have a thing for Pies with my wife)
A very basic understanding of how DNS & PKI (Public Key Infrastructure) work
Some time on your hands

Let’s start.

Setting up your own Root CA

So, basically, the way that SSL/TLS certificates work is with what is called a chain of trust. I will not go into details because other websites do and would probably explain it much better than I. That being said, the basics of it is that you would normally have a Root CA (CA stands for Certificate Authority, which is some kind of entity that is trusted by browsers and various OSes) which trusts an Intermediate CA which in turns trusts your web-server certificate.

In this case here because we do this all on a local domain and not on a real one that you would buy, we don’t need any intermediate CA to do the job and can just have a direct chain of trust as follows: Root CA > web-server certificate. This is what we’re going to do here.

Steps will be:

Create the root CA private key and certificate
Install FreeIPA packages
Get a CSR (Certificate Signing Request) generated by FreeIPA
Have your root CA sign the CSR
Complete the FreeIPA setup
Install the Root CA certificate in your browser(s) of choice

Note: all commands are to be run either with sudo or as root.

Creating the root CA pair (private key and certificate)

Generate the private key of your root CA:

openssl genrsa -des3 -out rootCA.key 4096

_where:
_{-des3 is used in order to password protect the private key (important since this will be the key used to sign the certificate; the more security the better)}
_{–genrsa indicates we use the asymmetric RSA algorithm}
_{-out rootCA.key specifies the path where we store the private key which in this case is called rootCA.key which will be created in your current directory}
_{–4096 is the algorithm key size/length in bits}

Generate the certificate of your root CA:

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

_{where:
-x509 is the format of public key certificates
–key rootCA.key specifies the path where the root CA’s private key that was previously created is
–sha256 is the encryption algorithm used
-days 1024 specifies the number of days for which this root CA certificate will be valid
-out rootCA.crt specifies the path where we store the root CA certificate
–4096 is the algorithm key size/length in bits}

At the end of those two steps, you find yourself with the root CA’s private key and certificate ready. Time to move on to the next step.

Installing the FreeIPA packages

This step is fairly straight-forward. Just go to your terminal and use the following command:

yum install -y ipa-server bind-dyndb-ldap bind

Getting a CSR (Certificate Signing Request) generated by FreeIPA

ipa-server-install --external-ca

Running the above command will create a new ipa.csr file in /root/ which you will need to sign with the private key of your root CA created previously.

Signing the FreeIPA CSR with the private key of your Root CA

Because running the normal signing command will generate a certificate that does not use what is called “Basic Constraints”, you will run into an issue with it when you finish setting up FreeIPA unless you follow some additional steps described below.

Create a custom openssl configuration file (e.g. ipa.cnf) and add the following content to it:

subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true

Run the following command in your terminal:

openssl x509 -req -in ipa.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -extfile ipa.cnf -out ipa.pem

where:
-x509 is the format of public key certificates
-in ipa.csr is the path to the IPA CSR generated previously
-CA is the path to the root CA’s certificate
-CAkey is the path to the root CA’s private key (used to sign the CSR)
–extfile is the path to the custom openssl configuration we created
–key rootCA.key specifies the path where the root CA’s private key that was previously created is
–sha256 is the encryption algorithm used
-out ipa.pem is the path to the web-server certificate that your IPA server will use

Completing the FreeIPA setup

You’re now finally ready to finish the setup of FreeIPA with this final command:

ipa-server-install --external_cert_file=ipa.pem --external_ca_file=rootCA.crt

where:
–external_cert_file=ipa.pem is the path to the FreeIPA web-server certificate you created with the previous step
–external_ca_file=rootCA.crt is the path to the root CA’s certificate

If everything went ok, the command will run successfully.

Install the Root CA certificate in your browser(s) of choice

Unless you manually add the root CA’s certificate as a trusted root CA in your browser, the browser will not consider that it’s trusted. Finish up by importing this file into your browser of choice and then you’re finally good to go! You’ll have to repeat that step on any other machine you set up to browse to your FreeIPA server.

Final note

Don’t forget that in order for other computers to be able to navigate to that server, you’ll have to either update the hosts file or update the DNS settings (e.g. nameserver and search settings in /etc/resolv.conf on Linux).

My life as a Linux Sysadmin