<div dir="ltr">I wondered about that, but the docs specifically say public key, and the command line option to "ipa vault-add" is "--public-key"<div><br></div><div>From "ipa vault-add --help"</div><div><br></div><div><div> --public-key=BYTES Vault public key</div><div> --public-key-file=STR File containing the vault public key</div></div><div><br></div><div>So I hope you can understand my confusion ;)</div><div><br></div><div>Can anyone else speak to whether the newer versions of the vault code is any different?</div><div><br></div><div>Thank you, Martin!</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"> <p><br> </p> <br> <div>On 24.07.2016 16:33, Anthony Clark wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">Hello All, <div><br> </div> <div>I have a crazy notion of storing a host's SSH private keys in a ipa vault, so that a rebuilt host can use the same keys.</div> <div><br> </div> <div>I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos base repository, so I'm constrained to version 1.0 vaults. I'm using this page: <a href="http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance" target="_blank">http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance</a></div> <div><br> </div> <div>I'm trying these following steps but running into trouble:</div> <div><br> </div> <div>ipa service-add ssh/<a href="http://test01.dev.redacted.net" target="_blank">test01.dev.redacted.net</a><br> </div> <div> <div><br> </div> <div>certutil -N -d testcertdb</div> <div><br> </div> <div>certutil -R -d testcertdb -a -g 2048 -s 'CN=<a href="http://test01.dev.redacted.net" target="_blank">test01.dev.redacted.net</a>,O=<a href="http://DEV.REDACTED.NET" target="_blank">DEV.REDACTED.NET</a>'</div> </div> <div><paste that csr into the ipa web gui></div> <div><br> </div> <div>ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/<a href="mailto:test01.dev.redacted.net@DEV.REDACTED.NET" target="_blank">test01.dev.redacted.net@DEV.REDACTED.NET</a><br> </div> <div><br> </div> <div>ipa vault-add testsshd02 --service ssh/<a href="mailto:test01.dev.redacted.net@DEV.REDACTED.NET" target="_blank"></a><a href="mailto:test01.dev.redacted.net@DEV.REDACTED.NET" target="_blank">test01.dev.redacted.net@DEV.REDACTED.NET</a> --type asymmetric --public-key-file testsshd01-cert.pem<br> </div> <div><br> </div> <div>the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault public key: Could not unserialize key data."</div> <div><br> </div> <div>Is there a preferred way to create a public key for asymmetric encryption for a service vault?</div> <div><br> </div> <div>Thanks,</div> <div><br> </div> <div>Anthony Clark</div> </div> <br> <fieldset></fieldset> <br> </blockquote> <br></div></div> Hello,<br> I suspect you should use just private key, not certificate<br> <br> <a href="https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL" target="_blank">https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL</a><br> <br> Regards,<br> Martin<br> </div> </blockquote></div><br></div>