privacyIDEA goes Certificate Authority

letter-576242_640privacyIDEA has started as a backend system for One Time Passwords. But as you might have noticed, it moves more and more to a system, that manages many different devices, identities and ways to authenticate a user.

After the initial Fork many new authentication aspects have been added. The Yubikey could be used to authenticate against LUKS to boot your notebook.

With the concept of applications and machines, the new SSH token type was added, that lets you manage all public SSH keys. Thus having a central system to manage the accounts, identities or authentication object of your users.

The upcoming release 2.3 will provide the first implementation of managing certificates. The CA Connector concept allows to connect to any existing certificate authority. The first connector type will connect to a local running OpenSSL based CA. Implementing new connector types to connect to other certificate authorities, even like Microsoft CA, is possible. caconnector

We just pushed the implementation for enrolling a certificate. In this first simple case, a Certificate Signing Request is passed with the token initialization API and the Request is signed by the CA which is connected via the CA connector. The certificate is then stored as a new tokentype within the token database.

Thus you will see all OTP-Tokens, SSH Keys and Certificates of a user in one place.

The release of 2.3 is planned for June 11th. But stay tuned – it might come early!

Further reading:

The Certificate Concept

Enroll a Certificate

Leave a comment