Samba + pki, ADCS on nethserver


(Forgotten Beast) #1

Greetings,
I’ve been searching around for a (somewhat) easy way to integrate a pki with a nethserver AD.

The use case is the following:

  1. Having one place where I can generate new certificates for people joining an organization (hello new sysadmin on the block, here is your ssh keypair).
  2. Having one place where those people’s profiles are linked with said certificates.
  3. Having one place where, if the need arise, I can delete the profile and revoke the certificate, with the publication of a CRL automagically handled for me.

I have given OpenXpki a good look and I would like to know if there is anything planned/already implemented in nethserver (such as a “working out of the box” openxpki instance that integrates with Samba) and if not, what are everyone’s thoughts on how (or even whether) it should be implemented.


(Markus Neuberger) #2

Hello @ForgottenBeast,

I just found pki-server in centos repos, is it possible to install openxpki on centos?

https://centos.pkgs.org/7/centos-x86_64/pki-server-10.4.1-10.el7.noarch.rpm.html

This is what we have now:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/certificate_management.html


(Davide Principi) #3

Just for reference existing implementations are:


(Forgotten Beast) #4

Thanks for the answers, I’ll look further into freeipa and openxpki.
@mrmarkuz I’ll try installing it the usual way but if it does not work I’m of a mind to run it inside a docker container.

@davidep it seems that freeipa looks like it could be easily integrated with an existing samba setup but a CLI only application is less appealing.

For those who have deployed a full PKI in the real world, am I wrong to believe that it would be feasible to only import whatever certificates I need from openxpki and use GPOs/a configuration management system to upload them wherever they are needed?