Skip to content

Configuring PIN Authenticated Certificate Profile

Jump to bottom
Endi S. Dewata edited this page Mar 30, 2024 · 8 revisions

Overview

This document describes how to configure a PIN-authenticated certificate profile such as:

  • caDirPinUserCert: Directory-Pin-Authenticated User Dual-Use Certificate Enrollment

  • caECDirPinUserCert: Directory-Pin-Authenticated User Dual-Use ECC Certificate Enrollment

Prerequisites

Prepare a publicly accessible LDAP subtree that contains users. Each user must be able to authenticate using a password. For example:

$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: ou=people,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: people
aci: (target="ldap:///ou=people,dc=example,dc=com")
 (targetattr=objectClass||dc||ou||uid||cn||sn||givenName)
 (version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";)
aci: (target="ldap:///ou=people,dc=example,dc=com")
 (targetattr=*)
 (version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";)

dn: uid=testuser,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User
userPassword: Secret.123
EOF

Verify the authentication using the following command:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -x \
    -D "uid=testuser,ou=people,dc=example,dc=com" \
    -w Secret.123 \
    -b "dc=example,dc=com" \
    "(objectClass=*)"

Configuring caDirPinUserCert Profile

The caDirPinUserCert profile is stored in /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg.

By default the profile is disabled. To enable the profile update the following parameter:

enable=true

By default the certificate will be valid for 180 days. For testing the validity range can be shortened, e.g. to 5 minutes:

policyset.userCertSet.2.default.params.range=5
policyset.userCertSet.2.default.params.rangeUnit=minute

By default the profile is configured with PinDirEnrollment authentication manager:

auth.instance_id=PinDirEnrollment

Add the PinDirEnrollment authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

auths.instance.PinDirEnrollment.pluginName=UidPwdPinDirAuth
auths.instance.PinDirEnrollment.ldap.basedn=ou=people,dc=example,dc=com
auths.instance.PinDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.PinDirEnrollment.ldap.ldapconn.host=pki.example.com
auths.instance.PinDirEnrollment.ldap.ldapconn.port=389

The UidPwdPinDirAuth authentication plugin is already defined in the CS.cfg:

auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication

Finally, restart CA subsystem:

$ pki-server ca-redeploy --wait

Enrollment

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally