Using a Dogtag instance as external CA for FreeIPA installation

A FreeIPA user recently had issues installing FreeIPA with an external CA. He was using Dogtag certificate system as external CA and FreeIPA installation was failing, complaining about the certificate provided by Dogtag.

So I decided to try the same deployment and share my findings in this post.

A little background…

FreeIPA server can be configured to act as a Certificate Authority inside FreeIPA IDM domain. It will then be able to create the certificates used by the LDAP server, the Apache server used for the Web GUI or the users and hosts.

This CA can be set-up in different ways:

  • The CA is a root CA, meaning that its certificate is self-signed
  • or the CA is subordinate to an external, 3rd-party CA, meaning that its certificate is signed by the 3rd party CA.

There are a wide range of products that can be used as 3rd-party CAs, among which Dogtag certificate system. In this blog post, I will explain how Dogtag can provide the certificate for IPA CA.


The following instructions apply to Fedora 24. They will:

  1. run the 1st step of ipa-server-install to generate a CSR
  2. submit the CSR to Dogtag and have Dogtag issue a certificate for FreeIPA server
  3. run the 2nd step of ipa-server-install with the certificate obtained in step 2.

For instructions to setup the Dogtag server, you can refer to this post: Dogtag installation.


FreeIPA server installation – step 1

In order to install FreeIPA with an externally-signed CA, we must use the –external-ca option of ipa-server-install. The installation is then a multi-step install, where:

  • ipa-server-install produces a CSR
  • we need to submit this CSR to the external CA, that will in return provide a certificate and certificate chain
  • we need to run ipa-server-install a 2nd time, with different options and providing the certificates obtained in the previous step.

So let’s run the first step of ipa-server-install:

root@ipaserver$ ipa-server-install --setup-dns \
 --auto-forwarders \
 --auto-reverse \
 -n \
 -p Secret123 -a Secret123 \
 --external-ca \
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
 [1/8]: creating certificate server user
 [2/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /sbin/ipa-server-install as:
/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate


Generation of the certificate using Dogtag

We then need to copy this CSR on the Dogtag instance and submit the CSR, approve it and export the certificate.

The submission is an important step as it allows to specify a profile. Basically, if we pick caCACert profile, we signal our intent to use the produced certificate as a Certificate Authority in our FreeIPA deployment, and the resulting certificate will contain the required extensions:

root@dogtag$ pki ca-cert-request-submit --profile caCACert --request-type pkcs10 --csr-file ipa.csr
Submitted certificate request
 Request ID: 7
 Type: enrollment
 Request Status: pending
 Operation Result: success

Note the Request ID as we will need it in order to approve the submission:

root@dogtag$ pki -c Secret123 -d /root/.dogtag/nssdb/ -n "PKI Administrator for" cert-request-review 7 --action approve
Approved certificate request 7
 Request ID: 7
 Type: enrollment
 Request Status: complete
 Operation Result: success
 Certificate ID: 0x7

Note the Certificate ID as we will need it to export the certificate into a file ipa.cert:

root@dogtag$ pki -c Secret123 -d /root/.dogtag/nssdb/ -n "PKI Administrator for" cert-show 7 --encoded --output ipa.cert

We will also need the dogtagca certificate chain:

root@dogtag$ pki ca-cert-show 1 --encoded --output dogtagca.cert

At this point, we have a new certificate and chain (ipa.cert and dogtagca.cert), that we need to copy on FreeIPA server. We can resume FreeIPA installation.

FreeIPA server installation – step 2

In order to resume FreeIPA installation, we will follow the instructions provided in step 1:

root@ipaserver$ /sbin/ipa-server-install --external-cert-file=ipa.cert --external-cert-file=dogtagca.cert


The installation will resume and use the ipa.cert for IPA Certificate Authority. That’s it!


Dogtag installation

Dogtag Certificate System is an open-source Certificate Authority. It allows to issue certificates,  generate Certificate Revocation Lists and much more. In this post, I am mainly interested in the installation of the Certificate Authority (to see why, you can refer to this other post, Using a Dogtag instance as external CA for FreeIPA installation).


Installation of the Dogtag server

First you need to get the packages for Dogtag and 389-ds (the LDAP server used by Dogtag):

root@dogtag$ dnf install -y 389-ds-base dogtag-pki


Dogtag relies on the LDAP server to store its data. So the installation begins with the setup of the LDAP server. It will create an instance named pki-tomcat with the suffix dc=example,dc=com:

root@dogtag$ --silent\
 slapd.RootDN="cn=Directory Manager"\
Your new DS instance 'pki-tomcat' was successfully created.
Exiting . . .
Log file is '/tmp/setupjVm7VR.log

Once the LDAP server is ready, we can proceed with the Dogtag server. The installation is an interactive process, where we will pick to install the CA subsystem and provide a password for caadmin user:

root@dogtag$ pkispawn


Interactive installation currently only exists for very basic deployments!

For example, deployments intent upon using advanced features such as:

* Cloning,
 * Elliptic Curve Cryptography (ECC),
 * External CA,
 * Hardware Security Module (HSM),
 * Subordinate CA,
* etc.,

must provide the necessary override parameters in a separate
 configuration file.

Run 'man pkispawn' for details.

Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]:

 Instance [pki-tomcat]:
 HTTP port [8080]:
 Secure HTTP port [8443]:
 AJP port [8009]:
 Management port [8005]:

 Username [caadmin]:
 Password: Secret123
 Verify password: Secret123
 Import certificate (Yes/No) [N]?
 Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:

Directory Server:
 Hostname []:
 Use a secure LDAPS connection (Yes/No/Quit) [N]?
 LDAP Port [389]:
 Bind DN [cn=Directory Manager]:
 Password: Secret123
 Base DN [o=pki-tomcat-CA]:

Security Domain:
 Name [ Security Domain]:

Begin installation (Yes/No/Quit)? Yes

Log file: /var/log/pki/pki-ca-spawn.20160802152151.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/


Administrator's username: caadmin
 Administrator's PKCS #12 file:
 Administrator's certificate database:

To check the status of the subsystem:
 systemctl status pki-tomcatd@pki-tomcat.service

To restart the subsystem:
 systemctl restart pki-tomcatd@pki-tomcat.service

The URL for the subsystem is:

 PKI instances will be enabled upon system boot


Your Dogtag server is now up and running, ready to handle certificate requests.


Dogtag client configuration

In order to submit certificate requests, approve csr or export certificates, you can use Dogtag client but need first to create a NSS DB for the client. This NSSDB (by default located in ~/.dogtag/nssdb) will store the certificate that the client is using to communicate with Dogtag server:

root@dogtag$ pki -c Secret123 client-init
root@dogtag$ pk12util -i /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -d /root/.dogtag/nssdb/
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:

At this point, your client is able to interact with the server using the pki CLI.

New project!

I wanted to thank all the people that followed this blog and showed interest in EUS and OUD. This project was a big milestone in my professional life, I really learned a lot and enjoyed sharing my knowledge.

Since May this year, I moved to a new project as Software Development and Integration Engineer at Red Hat, in the Free IPA team. My new blog posts will still be about Identity Management, but with different products this time. I hope that you will continue to be interested in my articles!