[Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation
HonzaCholasta
freeipa-github-notification at redhat.com
Wed Mar 8 09:47:41 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/542
Title: #542: Implementation independent interface for CSR generation
HonzaCholasta commented:
"""
I would rather make things simple and remove the abstraction.
We can support NSS databases by PKCS#12 export/import until we have first-class support:
1. generate private key and temporary cert in the NSS database:
`certutil -S ...`
2. export the private key from the NSS database into a temporary PKCS#12 file:
`pk12util -o key.p12 ...`
3. delete the temporary cert from the NSS database:
`certutil -D ...`
4. extract the private key from the temporary PKCS#12 file into a temporary PKCS#8 file:
`openssl pkcs12 -in key.p12 -nocerts -out key.pem ...`
5. delete the temporary PKCS#12 file
6. request a certificate using the OpenSSL workflow on the temporary PKCS#8 file
7. import the certificate into the NSS database
Granted, this won't work with HSMs, but I think that's OK, given it is only a temporary solution.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-284995622
More information about the Freeipa-devel
mailing list