How Can We Help?

FreeIPA: CSR Generation and SSL installation

You are here:


The Dogtag packages are now available in Fedora. The required packages should be retrieved as dependencies when installing ipa-server.

This only makes the binary files available for the IPA installation script. The installer creates and configures the necessary dogtag components to a certification authority.


A Dogtag certification body is installed by default by IPA. To install with a self-signed certification authority instead of dogtag, pass the --selfsign argument to ipa-server-install .

The certification authority uses a separate instance of DS that is used only for the certification authority. This instance is called PKI-IPA.

A CA instance is installed in / var / lib / pki-ca.

A copy of the CA root certificate and private key is placed in /root/cacert.p12.

A copy of the CA agent certificate is stored in /root/ca-agent.p12. This agent certificate can be imported into a browser and used to manage CS via the web interface (not recommended).

Use another certification authority (Sectigo / Secorio) to sign the IPA certification authority certificate

If you have an existing certification authority, you can use it to make the IPA certification authority a subordinate user.

This is a three step process:

  • Have ipa-server-install generate a Certificate Signing Request (CSR)
  • Bring the CSR to your certification body and have it signed
  • Provide the resulting certificate for ipa-server-install to complete the installation

Detailed instructions

Run ipa-server-install the appropriate arguments for your environment and add the --external_ca flag:

# ipa-server-install --external-ca

This creates a CSR in /root/ipa.csr . This is the file that you must provide to your CA for signing. You also need a PEM copy of your CA trust chain.

Once you have both, you can continue the installer:

# ipa-server-install --external_cert_file = / root / ipa.crt --external_ca_file = / root / bestehende_ca.crt

The server caches the answers the first time you run the installer, so you don't have to answer the questions again. This cache is removed when the installer is run again.

The paths to the certificate and the certification body must be absolute paths. The dogtag silent installer will fail if this is not the case.

After completing the installation, you have the same files as an independent IPA certification authority: /root/cacert.p12 and /root/ca-agent.p12.

The only difference is that the CA certificate is self-signed in this mode by your external certification authority and in standard mode.

Use certificates from another certification authority (Sectigo)

If you don't want to use the new IPA-CA features, that's fine, but you need to take some extra steps.

There are two ways to do this:

  • Install IPA with the self-signing certification authority and replace the server certificates after installation
  • Provide the installer with PKCS # 12 files (and still use the self-signing certificate authority, but no certificates are generated).

The step setting enable_ra for False deactivating the cert plugin in the XML-RPC interface. Your IPA server cannot issue certificates.

Install and replace

To use the Install and Replace method, do the following:

  • Install the IPA server with the --selfsign option
  • Once the IPA is active, run it ipa-server-certinstall once for the DS and once for Apache to replace the server certificates
  • If you want automatic Firefox configuration to work, use an object signing certificate to sign the JAR file /usr/share/ipa/html/configure.jar
  • Replace the CA certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt
  • Edit /etc/ipa/default.conf and set enable_ra to False
  • Restart Apache

Install with your own certificates

To use the Install your own method, do the following:

  • Install the IPA server with the --http_pkcs12 and --dirsrv_pkcs12 and the corresponding pin arguments. Your PKCS # 12 files should include the server certificate, key, and CA certification chain.
  • If you want automatic Firefox configuration to work, use an object signing certificate to sign the JAR file /usr/share/ipa/html/configure.jar
  • Make sure that the CA certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt is correct
  • Edit /etc/ipa/default.conf and set enable_ra to False
  • Restart Apache

Work with certificates

Once your certification authority is configured, authorized users can perform a number of operations.

Request a certificate

You start with a Certificate Signing Request (CSR). In our case, it is a base 64 encoded PKCS # 10 request that looks something like this:


How to generate a CSR with OpenSSL run:

% openssl req -new -nodes -out host.csr

You will be asked to provide the subject of the certificate (country, state, organization, etc.). The only critical point is the common name. This must be set on the FQDN of your host.

The CSR is in the host.csr file and the key for this request is in privkey.pem

In NSS, you need to start with a cert database to get an extra step. An NSS-CSR generation looks like this:

% certutil -N -d / tmp / test 
% certutil -R -s 'CN =' -d / tmp / test -o test.csr -g 2048 -a

The CSR must be passed as a single string on the command line:

$ ipa cert-request –principal=ldap2/ –add ‹MIIBejCB5AIBADA7MQwwCgYDVQQKEwNJUEExEDAOBgNVBAsTB3BraS1pcGExGTAXBgNVBAMTEHpldXMuZ3JleW9hay5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANSiseMKVF/ft44rJDM5XKaMo6jo03TBAC2i61D1GZL6nZ1trl6Oc4YfXccrbQLQ4RGLB6vwDE8vHyYh36OICb1EiWJ+bRaPsn9FaO2mk4qyZp2U/om52BCTSrOq+O+EhTdqLs+hUmUFRDpzmGX3x3UU0JR7cPcvNbcnNQvqfb2NAgMBAAGgADANBgkq > hkiG9w0BAQUFAAOBgQAjWFSgv3KZbcjn8V3rhAnuXG9xFzsqD5XsDRBsIMIrG/KNtw4VZBzuXlU2zOdoYm1vlSlzwep9xWXJi5L8HejyqPiCf2mLB60ZxBJLbe1UQ07+oCBMrxck4VXmnySWekRzfYy9lqV0lP/3A5UC6jbtrqJ6t5mp3yiwkjEzEJGp3A==›

Certificate: MIIC7DCCAdSgAwIBAgIBCzANBgkqhkiG9w0BAQUFADAuMQwwCgYDVQQKEwNJUEExHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wOTEwMDkxNTU5MzJaFw0xMDA0MDcxNTU5MzJaMDsxDDAKBgNVBAoTA0lQQTEQMA4GA1UECxMHcGtpLWlwYTEZMBcGA1UEAxMQemV1cy5ncmV5b2FrLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1KKx4wpUX9+3jiskMzlcpoyjqOjTdMEALaLrUPUZkvqdnW2uXo5zhh9dxyttAtDhEYsHq/AMTy8fJiHfo4gJvUSJYn5tFo+yf0Vo7aaTirJmnZT+ibnYEJNKs6r474SFN2ouz6FSZQVEOnOYZffHdRTQlHtw9y81tyc1C+p9vY0CAwEAAaOBizCBiDAfBgNVHSMEGDAWgBSaCxEepKwX6jI6LVrOiHgmiM4EwjBABggrBgEFBQcBAQQ0MDIwMAYIKwYBBQUHMAGGJGh0dHA6Ly96ZXVzLmdyZXlvYWsuY29tOjkxODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAGljf00jgdkyivJFOONlu/lNb25vpWnM/Wu3N6F6hcYC722YjzAFFAFA6wJf4QybrUGQiihh4veqRlknZeoR8Wlc9491E+lGwyk4SZxmSWMHc/TEoTDKPqrngTaf3YsjzBqPhQQF6TkM1TL68uMsU4uHl7mWtD9ueDVQkWlWmTJEJXcT8OdvIFOC/Wb+Vq9FV1lgJAosXmt8poZyHPGX+GiVxdtdZpoZSb7vyMg0FvjhSHNoX8tVo5QKlzxsci+xRkT4tcAe+ReFyQ7+aX851QMluttEUT1Gz1OxnfGojvHbiqYkH92fk+eUJtTZHGpK5H1U5gJVFauCKf/8SzU4awE= request_id: 11 serial_number: 0xb status: 0 subject:,OU=pki-ipa,O=IPA </pre>

There is also a shortcut method, although it doesn't work today (October 9).

ipa cert-request file://test.csr --principal=ldap3/ --add

Put a cert on hold

$ ipa cert-revoke --revocation-reason=6 0xb

Remove a cert from hold

$ ipa cert-revoke --revocation-reason=6 0xb

Revoke a certificate

$ ipa cert-revoke --revocation-reason=1 0xb
revoked: True
status: 0

Retrieve a revoked certificate

$ ipa cert-get 0xb
certificate: MIIC7D...
revocation_reason: 1
status: 0


If you want a certificate to be removed, revoke it. RFC 5280 defines the following reasons for the revocation:

  • 0 – unspecified
  • 1 – keyCompromise
  • 2 – cACompromise
  • 3 – affiliationChanged
  • 4 – superseded
  • 5 – cessationOfOperation
  • 6 – certificateHold
  • 8 – removeFromCRL
  • 9 – privilegeWithdrawn
  • 10 – aACompromise

Note that reason code 7 is not used.

A CRL is generated by the CA that contains a list of revoked certificates. This may be retrieved from an IPA server at:

Note that reason code 7 is not used.

A CRL is generated by the certification authority, which contains a list of the revoked certificates. This can be done from an IPA server at http : //

Work with services

Note that this service feature is not in Alpha 1

When you request a certificate:

  • The server checks the ACI virtual request certificate to determine whether the requester has permission to request certificates.
  • The applicant for the certificate is compared to the host name of the requested principal. You have to match.
  • The requested service record is retrieved. If the service already has a userCertificate attribute, the request is stopped
  • If the service is absent and the –add argument is omitted, the request is paused
  • If the –add option has been requested and the requester is not authorized to add services, the request is paused
  • Der Anforderer muss im Attribut ‹managedBy› des Service-Datensatzes aufgeführt sein.


This is a multi-valued attribute that contains the distinguished name of all hosts that are allowed to write the userCertificate attribute of this service. Use the add-host and service-remove-host services to control access.


This example shows the steps that must be performed by an administrator and a client computer that is trying to request a certificate for itself. This assumes that the CSR has already been generated and is in the web.csr file in the current directory.


ipa host-add --password = secret123 
ipa service-add HTTP / 
ipa service-add-host --hosts = HTTP / 
ipa rolegroup- add-member --hosts = certadmin


ipa-join -w secret123 
kinit -kt /etc/krb5.keytab host / 
ipa -d cert-request-Datei: //web.csr --principal = HTTP / client.example. com

What does it make?


  • Add a new host with a unique password
  • Create an HTTP service principal for the host
  • Allow the host to manage its own userCertificate attribute
  • Allow the host to manage certificates (request, revoke, etc.)


  • Configure the client to use the IPA range
  • Connect the host to the realm and get a keytab
  • Get a Kerberos ticket for the machine
  • request a certificate


Let us consider the case of a VPN server. On an IPA client we want to set up a VPN tunnel to a remote host, maybe at another company. To do this, we need to create an entry for this remote host, a service principal to save the certificate, and then issue the certificate.

Some of these jobs need to be done as an administrator:

% kinit admin 
% ipa host-add 
% ipa service-add vpn / 
% ipa service-add-host --hosts = vpn /

We created the remote host and a service principal for it and gave the host permission to request a certificate on behalf of This requires that the certificate request for is in the vpn.csr file .

On ipa.example com:

% kinit -kt /etc/krb5.keytab host/ 
ipa cert-request --principal = vpn / vpn.csr 
% ipa service-show vpn /
Table of Contents