[Freeipa-users] question about generating certificates

[Rob Crittenden]

Dmitri Pal wrote:
> On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
>> Исаев Виталий Анатольевич <isaev at fintech.ru> has give me advise that the
>> problem may be in Selinux.
>> so I has stoped tracking previous request by
>> $ sudo ipa-getcert stop-tracking -i 20131106075356
>>
>> and has generated new request
>> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
>> -k /var/lib/certmonger/requests/server.key -K
>> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
>> postgresql.example.com
>>
>> that made desired files to appear at /var/lib/certmonger/requests/
>> that is okay! :)
>> but! I want them in /var/lib/pgsql/9.3/data/
>> so what is the problem? why not just copy them at that directory?
>> the problem is that when I list cert requests, I see this:
>> Request ID '20131106113520':
>> 	status: MONITORING
>> 	stuck: no
>> 	key pair storage:
>> type=FILE,location='/var/lib/certmonger/requests/server.key'
>> 	certificate:
>> type=FILE,location='/var/lib/certmonger/requests/server.crt'
>> 	CA: IPA
>> 	issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> 	subject: CN=postgresql.example.com,O=EXAMPLE.COM
>> 	expires: 2015-11-07 11:35:20 UTC
>> 	eku: id-kp-serverAuth,id-kp-clientAuth
>> 	pre-save command:
>> 	post-save command:
>> 	track: yes
>> 	auto-renew: yes
>>
>> we can see that file location in that list is defined at request time.
>>
>> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
>> there any other solution?
>
> I think yes. And I recall this is not the first time this comes up.
> My memory might be failing me but I vaguely remember that we discussed this.
> However I could not find any bug or ticket on the matter so I created this
> https://bugzilla.redhat.com/show_bug.cgi?id=1027265

Typically in Fedora and RHEL certs are expected to go into 
/etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories 
have the correct SELinux contexts.

rob