The FreeIPA Master Class - Part 6

The FreeIPA Master Class - Part 6

Published Feb. 24, 2025, 5:20 a.m. by dwest

Managing Certificates and Services

In the previous parts of this series we covered:

  • Installing FreeIPA
  • Joining systems to the domain
  • Managing users and groups
  • Kerberos authentication
  • Host-Based Access Control (HBAC)
  • Centralized sudo policies

At this point, FreeIPA is acting as the identity backbone of your infrastructure. Users can authenticate, access policies are enforced and systems are centrally managed. However, modern infrastructure also requires secure communication between services. This is where FreeIPA’s built-in certificate authority (CA) and service principals become extremely useful. FreeIPA includes an integrated Public Key Infrastructure (PKI) that can automatically issue and manage certificates for hosts and services.

This allows administrators to:

  • Automatically generate TLS certificates
  • Secure services such as web servers and LDAP
  • Authenticate services using Kerberos
  • Manage certificate lifecycle centrally

In this article we will explore how FreeIPA manages certificates and service identities.

FreeIPA Certificate Authority

FreeIPA includes a full certificate authority powered by the Dogtag Certificate System.

This CA issues certificates for:

  • Hosts
  • Services
  • Users
  • Web servers
  • LDAP
  • VPN servers
  • Internal infrastructure

The CA automatically integrates with FreeIPA authentication, making certificate management much easier than maintaining a separate PKI.

Viewing the Certificate Authority

You can view information about the certificate authority using:

ipa ca-show

Example output:

CA name: ipa
Subject DN: CN=Certificate Authority,O=EXAMPLE.COM
Status: enabled

The CA automatically signs certificates for hosts and services that are enrolled in the domain.

Host Certificates

When a system joins the FreeIPA domain, a host principal is created and a certificate can be issued.

Example host principal:

host/server01.example.com

The host certificate is typically stored in:

/etc/ipa/ca.crt

And the system keytab:

/etc/krb5.keytab

These credentials allow the host to authenticate securely with FreeIPA services.

Requesting a Certificate

Certificates can be requested using the ipa cert-request command.

Example:

ipa cert-request server.csr

However, most of the time certificates are requested automatically using the certmonger service.

Certmonger handles:

  • Certificate requests
  • Certificate renewal
  • Automatic rekeying
  • Tracking certificate expiration

Certmonger

Certmonger is a daemon that manages certificates on FreeIPA clients.

Check its status:

systemctl status certmonger

List tracked certificates:

getcert list

Example output:

Request ID '20190220123456':
status: MONITORING
stuck: no
key pair storage: type=FILE
certificate: type=FILE
issuer: CN=Certificate Authority,O=EXAMPLE.COM

Certmonger automatically renews certificates before they expire.

Service Principals

Kerberos does not only authenticate users. It also authenticates services. Services use service principals to identify themselves in the Kerberos realm.

Examples:

HTTP/webserver.example.com
cifs/fileserver.example.com
ldap/server.example.com

These principals allow services to participate in Kerberos authentication.

Creating a Service Principal

  1. Create a service
ipa service-add HTTP/webserver.example.com
  1. Verify it exists
ipa service-find HTTP

Example output:

Principal: HTTP/webserver.example.com@EXAMPLE.COM

Generating a Keytab

Services authenticate using keytabs, which store encrypted Kerberos credentials.

Generate a keytab:

ipa-getkeytab
-s ipa.example.com
-p HTTP/webserver.example.com
-k /etc/httpd/http.keytab

This keytab allows the service to authenticate automatically.

Using Kerberos with Web Services

Kerberos can enable single sign-on for web applications.

Example Apache configuration:

AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP
Krb5KeyTab /etc/httpd/http.keytab
Require valid-user

Users who already have Kerberos tickets can access the site without entering credentials again.

Requesting a TLS Certificate for a Service

Many services require TLS encryption.

Example certificate request:

ipa cert-request
--principal=HTTP/webserver.example.com
server.csr

The CA will sign the certificate and return it.

Viewing Certificates

List certificates:

ipa cert-find

Example output:

Serial number: 15
Subject: CN=webserver.example.com
Issuer: CN=Certificate Authority,O=EXAMPLE.COM

Revoking Certificates

If a certificate is compromised, revoke it immediately.

ipa cert-revoke 15

You can verify revoked certificates with:

ipa cert-show 15

Revoked certificates appear in the Certificate Revocation List (CRL).

Certificate Renewal

Certificates expire periodically. Certmonger automatically renews certificates before expiration. You can manually renew a certificate with:

ipa-getcert resubmit -i <request_id>
Note:
If the tomcat service is not working correctly, then certmonger might not automatically renew the service as expected. It is recommended that you correct this before the certificate expires. Otherwise, you will need to generate a new CSR and manually renew it yourself. This becomes increasingly difficult if a CA expires.

Exporting the FreeIPA CA Certificate

Browsers and external systems will not trust the FreeIPA CA by default. This usually manifests with an error message saying “untrusted ca in chain” or “self-signed certificate in chain”. To fix this, you will need to export the CA from the IPA server and then import it into the CA store on every system and/or application that plans to access it.

From any host, export the CA certificate:

openssl s_client -connect ipa.example.com:443 -showcerts
< /dev/null > ipa_ca.crt

Import this certificate into:

  • Web browsers
  • OS trust stores
  • Load balancers
  • Reverse proxies
  • Application Keystores

Each browser maintains their keystore slightly differently. If you are binding a Java-based application to FreeIPA, then you will need to make sure you import it into the Java keystore on the host.

When to Use FreeIPA Certificates

FreeIPA certificates work best for internal infrastructure, including:

  • Internal web services
  • LDAP servers
  • VPN endpoints
  • Kerberos services
  • Internal APIs

For public internet services, you may still want to use certificates from a public CA such as Let’s Encrypt. FreeIPA “can” manage 3rd party certificates, but the process is non-trivial and outside the scope of this guide.

Common Certificate Issues

  • Expired certificates

    • Check tracked certificates: 
      getcert list

  • Certmonger not running

    • Restart the service 
      systemctl restart certmonger

  • Incorrect service principal

    • Verify service exists: 
      ipa service-find

Why FreeIPA Certificates Matter

Without centralized certificate management, administrators often struggle with:

  • Expired TLS certificates
  • Manually issuing certificates
  • Managing trust relationships
  • Rotating service credentials

FreeIPA solves these problems by combining:

  • Identity management
  • Kerberos authentication
  • Certificate lifecycle management

All within a single platform.

What’s Next

In the next part of the FreeIPA Master Class, we will explore one of the most important topics for production deployments:

FreeIPA Replication and High Availability

We will cover:

  • Multi-master replication
  • Replica topology
  • CA replication
  • Renewal masters
  • Designing resilient FreeIPA environments

Next: The FreeIPA Master Class - Part 7

Share this post

Similar posts

The FreeIPA Master Class - Part 5

The FreeIPA Master Class - Part 4

The FreeIPA Master Class - Part 3

The FreeIPA Master Class - Part 2

0 comments

There are no comments.

Add a new comment

Search
Categories
Popular Posts