Unit 6: Service certificates
****************************

You probably noticed that the web service was not hosted over HTTPS,
so there is no TLS-based authentication or confidentiality.  In this
unit, we will issue an X.509 certificate for the web service via the
*Certmonger* program.

Certmonger supports multiple CAs including FreeIPA's CA, and can
generate keys, issue certificate requests, track certificates, and
renew tracked certificates when the expiration time approaches. Will
also use "mod_ssl" with Apache.


Issue the service certificate
=============================

Let's start by confirming that the HTTP service does not yet have a
certificate:

   [client]$ ipa service-show HTTP/client.ipademo.local
     Principal name: HTTP/client.ipademo.local@IPADEMO.LOCAL
     Principal alias: HTTP/client.ipademo.local@IPADEMO.LOCAL
     Keytab: True
     Managed by: client.ipademo.local

Enable and start Certmonger:

   [client]$ sudo systemctl enable --now certmonger
   Created symlink /etc/systemd/system/multi-user.target.wants/certmonger.service → /usr/lib/systemd/system/certmonger.service.

Now let's request a certificate.  We will generate keys and store
certificates in the NSS database at "/etc/httpd/alias":

   [client]$ sudo ipa-getcert request \
               -f /etc/pki/tls/certs/app.crt \
               -k /etc/pki/tls/private/app.key \
               -K HTTP/client.ipademo.local \
               -D client.ipademo.local
   New signing request "20180603185400" added.

Let's break down some of those command arguments.

"-k <path>"
   Path to private key (Certmonger will generate it)

"-f <path>"
   Path to certificate (where it will be saved after being issued)

"-K <principal>"
   Kerberos service principal; because different kinds of services may
   be accessed at one hostname, this argument tells Certmonger which
   service principal is the subject

"-D <dnsname>"
   Requests the given domain name to appear in the *Subject
   Alternative Name (SAN)* extension; today the *Common Name (CN)*
   field is no longer used by browsers so the SAN value is essential

Another important option is "-N <subject-name>".  It defaults to the
system hostname, which in our case ("client.ipademo.local") is
appropriate.

Let's check the status of our certificate request using the tracking
identifier given in the "ipa-getcert request" output:

   [client]$ sudo getcert list -i 20180603185400
   Number of certificates and requests being tracked: 1.
   Request ID '20180603185400':
     status: MONITORING
     stuck: no
     key pair storage: type=FILE,location='/etc/pki/tls/private/app.key'
     certificate: type=FILE,location='/etc/pki/tls/certs/app.crt'
     CA: IPA
     issuer: CN=Certificate Authority,O=IPADEMO.LOCAL
     subject: CN=client.ipademo.local,O=IPADEMO.LOCAL
     expires: 2020-06-03 18:54:00 UTC
     dns: client.ipademo.local
     principal name: HTTP/client.ipademo.local@IPADEMO.LOCAL
     key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command:
     track: yes
     auto-renew: yes

Confirm that the certificate was issued and that Certmonger is now
"MONITORING" the certificate and will "auto-renew" it when it is close
to expiration.  Now if you run "ipa service-show", you will see a
number of attributes related to the certificate, including the
certificate itself.  Can you work out how to save the PEM-encoded
certificate to a file?


Set up TLS for Apache
=====================

Now we can reconfigure Apache to serve our app over TLS.  Update
"app.conf" to listen on port 443 and add the SSL directives:

   ...
   Listen 443

   <VirtualHost *:443>
       SSLEngine on
       SSLCertificateFile "/etc/pki/tls/certs/app.crt"
       SSLCertificateKeyFile "/etc/pki/tls/private/app.key"

       ServerName client.ipademo.local
       ...

Restart Apache and make a request to the app over HTTPS:

   [client]$ sudo systemctl restart httpd
   [client]$ curl -u : --negotiate https://client.ipademo.local
   LOGGED IN AS: alice@IPADEMO.LOCAL

   REMOTE_* REQUEST VARIABLES:

     REMOTE_USER: alice@IPADEMO.LOCAL
     REMOTE_USER_GROUP_1: ipausers
     REMOTE_USER_GROUP_2: sysadmin
     REMOTE_USER_GROUP_N: 2
     REMOTE_USER_FIRSTNAME: Alice
     REMOTE_USER_LASTNAME: Alice
     REMOTE_USER_MAIL: alice@ipademo.local
     REMOTE_ADDR: 192.168.33.20
     REMOTE_PORT: 51876

You can now proceed to Unit 7: Replica installation or Unit 8: Sudo
rule management. Otherwise, return to the curriculum overview to see
all the options.
