[Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??

Nalin Dahyabhai nalin at redhat.com
Fri Apr 27 20:34:18 UTC 2012 

On Fri, Apr 27, 2012 at 02:52:20PM -0400, Dmitri Pal wrote:
>    I thought that there was a flag for ipa-getkeytab to fetch existing key
>    but my knowledge in this area is rusty. Same with the cert.
>    May be someone else would chime in.

There's a way for certificates, at least.

If you still have the matching private key on the host (unless I'm
mistaken, we don't have optional escrow yet, so if you don't have the
private key, you're out of luck, and there's no point in bothering with
any of this), you should be able to dig up the corresponding
certificate.

Since the regular IPA machinery already knows how to pull up a
certificate if you know its serial number, we just need to figure out
the serial number.  On the server, we search Dogtag's directory server
instance by running:

  DOMAIN=EXAMPLE.COM
  FQDN=clientbox1.example.com
  ldapsearch -h localhost:7389 -x -D "cn=Directory Manager" -W \
     -b ou=certificateRepository,ou=ca,o=ipaca \
     subjectname="cn=$FQDN",o=$DOMAIN cn serialno

We'll need to supply the directory server administrator password.  We'll
get back the "cn" and "serialno" values for any matching entries.  The
"cn" values appear to be the serial numbers.  If multiple certificates
were issued to the host, we'll get more than one serial number back.  We
can pass any of them to "ipa cert-show" to retrieve the certificate with
that was issued with that serial number.

The "Certificate:" value is base64 without a header or footer, but we
can pipe the whole value through OpenSSL's utility to both make sure we
have the whole thing, and clean it up in the process.  Run this command,
and copy/paste the value into it:

  openssl base64 -d | openssl x509 -inform der

The result can be stored in the relevant file for use with OpenSSL, or
imported into the relevant database for use with NSS.

Like Stephen noted about keytabs, though, there should be no harm in
just issuing a new certificate for the host in question.  Certificates
are always issued with limited validity periods, so anything that breaks
when if/when a certificate is replaced needs to be fixed anyway.

HTH,

Nalin

More information about the Freeipa-users mailing list