[Freeipa-users] question about generating certificates
Arthur Faizullin
arthur at deus.pro
Thu Nov 7 04:53:54 UTC 2013
В Ср, 06/11/2013 в 08:44 -0500, Rob Crittenden пишет:
> Dmitri Pal wrote:
> > On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
> >> Исаев Виталий Анатольевич <isaev at fintech.ru> has give me advise that the
> >> problem may be in Selinux.
> >> so I has stoped tracking previous request by
> >> $ sudo ipa-getcert stop-tracking -i 20131106075356
> >>
> >> and has generated new request
> >> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> >> -k /var/lib/certmonger/requests/server.key -K
> >> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> >> postgresql.example.com
> >>
> >> that made desired files to appear at /var/lib/certmonger/requests/
> >> that is okay! :)
> >> but! I want them in /var/lib/pgsql/9.3/data/
> >> so what is the problem? why not just copy them at that directory?
> >> the problem is that when I list cert requests, I see this:
> >> Request ID '20131106113520':
> >> status: MONITORING
> >> stuck: no
> >> key pair storage:
> >> type=FILE,location='/var/lib/certmonger/requests/server.key'
> >> certificate:
> >> type=FILE,location='/var/lib/certmonger/requests/server.crt'
> >> CA: IPA
> >> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >> subject: CN=postgresql.example.com,O=EXAMPLE.COM
> >> expires: 2015-11-07 11:35:20 UTC
> >> eku: id-kp-serverAuth,id-kp-clientAuth
> >> pre-save command:
> >> post-save command:
> >> track: yes
> >> auto-renew: yes
> >>
> >> we can see that file location in that list is defined at request time.
> >>
> >> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> >> there any other solution?
> >
> > I think yes. And I recall this is not the first time this comes up.
> > My memory might be failing me but I vaguely remember that we discussed this.
> > However I could not find any bug or ticket on the matter so I created this
> > https://bugzilla.redhat.com/show_bug.cgi?id=1027265
>
> Typically in Fedora and RHEL certs are expected to go into
> /etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories
> have the correct SELinux contexts.
>
> rob
as with krb5 keytab, which recomended to keep in specified directory
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/services.html
I thought that ssl keys also should be keeped in specified directory.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list