0

FreeIPA uses dogtag and NSS for PKI. Ubuntu and a lot of the world uses OpenSSL. I now have a pair of FreeIPA test servers replicating certificate functionality, and the single interface for authentication, authorization, and DNS is convenient. I'm more familiar with OpenSSL

I do not understand, however, how to configure Apache2's HTTPd to authenticate a site based on dogtag certificates. I'm trying to Apache module mod_ssl to work using these instructions: https://pagure.io/mod_nss. My certificate is valid. How do I get a site to be trusted (similar to 'SSLCertificateFile /path/to/cert.pem' and the associated key file)?

I'd appreciate a snippet of how that part of the VirtualHost directive should look.

Edit: I know I could convert/export the cert, but this would require manual work to renew/replace the cert. (http://itdoc.hitachi.co.jp/manuals/3020/30203Y1800e/EY180073.HTM)

ndemarco
  • 213
  • 1
  • 2
  • 13

2 Answers2

2

Just look at more recent FreeIPA releases or git master. Since 4.7 version FreeIPA uses mod_ssl internally instead of mod_nss.

abbra
  • 1,085
  • 5
  • 8
  • Thanks. This link seems relevant, now that I'm not searching for NSS. https://www.freeipa.org/page/V4/mod_nss_to_mod_ssl – ndemarco Feb 29 '20 at 18:01
  • The whole configuration is whatever is the default for `ssl.conf` in `mod_ssl` package. What FreeIPA modifies during installation is a minimal set of options, outlined here: https://github.com/freeipa/freeipa/blob/master/ipaserver/install/httpinstance.py#L413-L434 – abbra Mar 02 '20 at 07:35
1

as an addition to what abbra pointed out (he's one of the developers of freeipa, by the way), you can configure apache with mod_ssl. Just don't do that on the key distribution centers (kdcs), get a domain joined host and configure mod_ssl as you would normally.

You should not configure any vhosts on the kdcs anyway, but just in case ;-)

natxo asenjo
  • 5,739
  • 2
  • 26
  • 27