Skip to content

Configuring PIN Authenticated Certificate Profile

Endi S. Dewata edited this page Apr 2, 2024 · 8 revisions

Overview

This document describes how to configure a PIN-authenticated certificate profile such as:

  • caDirPinUserCert: Directory-Pin-Authenticated User Dual-Use Certificate Enrollment

  • caECDirPinUserCert: Directory-Pin-Authenticated User Dual-Use ECC Certificate Enrollment

Setting up LDAP Users and PIN Manager

Prepare a publicly accessible LDAP subtree that contains users. Each user must be able to authenticate using a password. For example:

$ ldapadd -H ldap://ds.example.com -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: uid=pinmanager,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: pinmanager
cn: PIN Manager
sn: Manager
userPassword: Secret.123

dn: ou=people,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: people
aci: (target="ldap:///ou=people,dc=example,dc=com")
 (targetattr=objectClass||dc||ou||uid||cn||sn||givenName)
 (version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";)
aci: (target="ldap:///ou=people,dc=example,dc=com")
 (targetattr=*)
 (version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";)

dn: uid=testuser,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
cn: Test User
sn: User
userPassword: Secret.123
EOF

Setting up LDAP Schema and ACI

Use setpin to set up the LDAP schema and ACI attributes:

$ sed \
    -e "s/^host=.*$/host=ds.example.com/" \
    -e "s/^port=.*$/port=3389/" \
    -e "s/^binddn=.*$/binddn=cn=Directory Manager/" \
    -e "s/^bindpw=.*$/bindpw=Secret.123/" \
    -e "s/^pinmanager=.*$/pinmanager=uid=pinmanager,dc=example,dc=com/" \
    -e "s/^pinmanagerpwd=.*$/pinmanagerpwd=Secret.123/" \
    -e "s/^basedn=.*$/basedn=ou=people,dc=example,dc=com/" \
    /usr/share/pki/tools/setpin.conf > setpin.conf
$ setpin optfile=setpin.conf

Generating User PINs

Use setpin to generate PINs for all users:

$ sed -i "/^setup=/d" setpin.conf
$ setpin \
    filter="(objectClass=person)" \
    optfile=setpin.conf \
    output=setpin.out \
    write

The PINs will be stored in setpin.out as follows:

dn:uid=testuser,ou=people,dc=example,dc=com
pin:GIRbLe
status:added

Configuring caDirPinUserCert Profile

The caDirPinUserCert profile is stored in /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg.

By default the profile is disabled. To enable the profile update the following parameter:

enable=true

By default the certificate will be valid for 180 days. For testing the validity range can be shortened, e.g. to 5 minutes:

policyset.userCertSet.2.default.params.range=5
policyset.userCertSet.2.default.params.rangeUnit=minute

By default the profile is configured with PinDirEnrollment authentication manager:

auth.instance_id=PinDirEnrollment

Add the PinDirEnrollment authentication manager into /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

auths.instance.PinDirEnrollment.pluginName=UidPwdPinDirAuth
auths.instance.PinDirEnrollment.ldap.basedn=ou=people,dc=example,dc=com
auths.instance.PinDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.PinDirEnrollment.ldap.ldapconn.host=ds.example.com
auths.instance.PinDirEnrollment.ldap.ldapconn.port=389

The UidPwdPinDirAuth authentication plugin is already defined in the CS.cfg:

auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication

Finally, restart CA subsystem:

$ pki-server ca-redeploy --wait

Enrollment

Clone this wiki locally