[Freeipa-users] Redhat IPA as a SSL CA
M.R Niranjan
mrniranjan at redhat.com
Fri Jul 19 05:26:27 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/19/2013 06:57 AM, craig.freeipa at noboost.org wrote:
> Hi,
>
> I've been using Redhat IPA 2.2 as our internal CA quite successfully
> for a while and managing in it from the IPA management website.
>
> I'm struggling to find precise information about the SSL certs and
> management at a CLI level.
>
> 1) Can I submit SSL CSR via cli?
Yes, you could using ipa cert-request command
Example:
1. Add the host for which you are generating request.
# ipa host-add webserver1.example.org
2. Create a CSR (i.e private key and certificate request using openssl
command)
A. Generate private key:
[root at test1 certs]# openssl genrsa 1024 > server.key
B. Generate CSR:
[root at test1 certs]# openssl req -new -key server.key -out server.csr
3. Submit the certificate request:
# ipa cert-request /etc/pki/tls/certs/server.csr
4. Get the signed Certificate out using ipa cert-show command
Example:
[root at test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt
> 2) Where are the approved client SSL certs kept in IPA?
>
They are stored in Directory Server in 2 places
1. Domain Suffix tree
dn:fqdn=webserver1.example.org,cn=computers,cn=accounts,dc=example,dc=org
2. CA store in DS. Certificate system of IPA stores certificate in it's
ldap store (ou=certificateRepository,ou=ca,o=ipaca)
>
> cya
>
> Craig
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
- --
Regards
M.R.Niranjan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlHozgMACgkQLu3FX2BHx8cE7gCfSWDTA24R0VGSuwpd49RIgXsH
5eAAn3sQS5eXdfNu2kPbo5YueM3gScyt
=BCXd
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list