<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 25.07.2016 16:22, Anthony Clark
wrote:<br>
</div>
<blockquote
cite="mid:CAJGYKdNSp11Yt6UBcXcqeKEvggDJbZP3HG-DMsBqQPSBOuwsfQ@mail.gmail.com"
type="cite">
<div dir="ltr">I wondered about that, but the docs specifically
say public key, and the command line option to "ipa vault-add"
is "--public-key"
<div><br>
</div>
<div>From "ipa vault-add --help"</div>
<div><br>
</div>
<div>
<div> --public-key=BYTES Vault public key</div>
<div> --public-key-file=STR File containing the vault
public key</div>
</div>
<div><br>
</div>
<div>So I hope you can understand my confusion ;)</div>
<div><br>
</div>
<div>Can anyone else speak to whether the newer versions of the
vault code is any different?</div>
<div><br>
</div>
<div>Thank you, Martin!</div>
<div><br>
</div>
</div>
</blockquote>
Yeah sorry, I meant public key, private key is used for decipher.<br>
<br>
My point was just not to use certificate.<br>
<br>
Martin<br>
<br>
<blockquote
cite="mid:CAJGYKdNSp11Yt6UBcXcqeKEvggDJbZP3HG-DMsBqQPSBOuwsfQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jul 25, 2016 at 4:32 AM, Martin
Basti <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<p><br>
</p>
<br>
<div>On 24.07.2016 16:33, Anthony Clark wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello All,
<div><br>
</div>
<div>I have a crazy notion of storing a host's SSH
private keys in a ipa vault, so that a rebuilt
host can use the same keys.</div>
<div><br>
</div>
<div>I'm on CentOS 7.2 and I'm using the RPMs
available in the standard centos base
repository, so I'm constrained to version 1.0
vaults. I'm using this page: <a
moz-do-not-send="true"
href="http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance"
target="_blank"><a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance">http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance</a></a></div>
<div><br>
</div>
<div>I'm trying these following steps but running
into trouble:</div>
<div><br>
</div>
<div>ipa service-add ssh/<a moz-do-not-send="true"
href="http://test01.dev.redacted.net"
target="_blank">test01.dev.redacted.net</a><br>
</div>
<div>
<div><br>
</div>
<div>certutil -N -d testcertdb</div>
<div><br>
</div>
<div>certutil -R -d testcertdb -a -g 2048 -s
'CN=<a moz-do-not-send="true"
href="http://test01.dev.redacted.net"
target="_blank">test01.dev.redacted.net</a>,O=<a
moz-do-not-send="true"
href="http://DEV.REDACTED.NET"
target="_blank">DEV.REDACTED.NET</a>'</div>
</div>
<div><paste that csr into the ipa web gui></div>
<div><br>
</div>
<div>ipa-getcert request -r -f testsshd01-cert.pem
-k testsshd01-key.pem -K ssh/<a
moz-do-not-send="true"
href="mailto:test01.dev.redacted.net@DEV.REDACTED.NET"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:test01.dev.redacted.net@DEV.REDACTED.NET">test01.dev.redacted.net@DEV.REDACTED.NET</a></a><br>
</div>
<div><br>
</div>
<div>ipa vault-add testsshd02 --service ssh/<a
moz-do-not-send="true"
href="mailto:test01.dev.redacted.net@DEV.REDACTED.NET"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:test01.dev.redacted.net@DEV.REDACTED.NET">test01.dev.redacted.net@DEV.REDACTED.NET</a></a>
--type asymmetric --public-key-file
testsshd01-cert.pem<br>
</div>
<div><br>
</div>
<div>the last command gives me "ipa: ERROR:
invalid 'ipavaultpublickey': Invalid or
unsupported vault public key: Could not
unserialize key data."</div>
<div><br>
</div>
<div>Is there a preferred way to create a public
key for asymmetric encryption for a service
vault?</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Anthony Clark</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
Hello,<br>
I suspect you should use just private key, not certificate<br>
<br>
<a moz-do-not-send="true"
href="https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL"
target="_blank">https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL</a><br>
<br>
Regards,<br>
Martin<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>