[Freeipa-users] Redhat IPA as a SSL CA
Arthur Faizullin
arthur at deus.pro
Wed Oct 16 05:20:43 UTC 2013
Is it
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
about the same?
В Пт, 19/07/2013 в 10:56 +0530, M.R Niranjan пишет:
> On 07/19/2013 06:57 AM, craig.freeipa at noboost.org wrote:
> > Hi,
> >
> > I've been using Redhat IPA 2.2 as our internal CA quite successfully
> > for a while and managing in it from the IPA management website.
> >
> > I'm struggling to find precise information about the SSL certs and
> > management at a CLI level.
> >
> > 1) Can I submit SSL CSR via cli?
> Yes, you could using ipa cert-request command
>
> Example:
>
> 1. Add the host for which you are generating request.
>
> # ipa host-add webserver1.example.org
>
> 2. Create a CSR (i.e private key and certificate request using openssl
> command)
>
> A. Generate private key:
>
> [root at test1 certs]# openssl genrsa 1024 > server.key
>
> B. Generate CSR:
>
> [root at test1 certs]# openssl req -new -key server.key -out server.csr
>
> 3. Submit the certificate request:
>
> # ipa cert-request /etc/pki/tls/certs/server.csr
>
> 4. Get the signed Certificate out using ipa cert-show command
>
> Example:
> [root at test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt
>
> > 2) Where are the approved client SSL certs kept in IPA?
> >
>
> They are stored in Directory Server in 2 places
>
> 1. Domain Suffix tree
> dn:fqdn=webserver1.example.org,cn=computers,cn=accounts,dc=example,dc=org
>
> 2. CA store in DS. Certificate system of IPA stores certificate in it's
> ldap store (ou=certificateRepository,ou=ca,o=ipaca)
>
>
> >
> > cya
> >
> > Craig
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list