[Freeipa-users] Redhat IPA as a SSL CA

Rob Crittenden rcritten at redhat.com
Thu Oct 17 02:56:24 UTC 2013 

Arthur Faizullin wrote:
> Is it
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> about the same?

No, that is for another purpose. That replaces IPA service certs with 
those from a 3rd party CA (and it doesn't work well at all in 2.2 or 3.0).

I'd recommend certmonger so you can auto-renewing certs, 
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/certmongerX.html

Or manually at 
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/managing-services.html#request-service-service

rob

>
> В Пт, 19/07/2013 в 10:56 +0530, M.R Niranjan пишет:
>> On 07/19/2013 06:57 AM, craig.freeipa at noboost.org wrote:
>>> Hi,
>>>
>>> I've been using Redhat IPA 2.2 as our internal CA quite successfully
>>> for a while and managing in it from the IPA management website.
>>>
>>> I'm struggling to find precise information about the SSL certs and
>>> management at a CLI level.
>>>
>>> 1) Can I submit SSL CSR via cli?
>> Yes, you could using ipa cert-request command
>>
>> Example:
>>
>> 1. Add the host for which you are generating request.
>>
>> # ipa host-add webserver1.example.org
>>
>> 2. Create a CSR (i.e private key and certificate request using openssl
>> command)
>>
>> 	A. Generate private key:
>>
>> 	[root at test1 certs]# openssl genrsa 1024 > server.key
>>
>> 	B. Generate CSR:
>>
>> 	[root at test1 certs]#  openssl req -new -key server.key -out server.csr
>>
>> 3. Submit the certificate request:
>>
>> # ipa cert-request /etc/pki/tls/certs/server.csr
>>
>> 4. Get the signed Certificate out using ipa cert-show command
>>
>> Example:
>> [root at test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt
>>
>>> 2) Where are the approved client SSL certs kept in IPA?
>>>
>>
>> They are stored in Directory Server in 2 places
>>
>> 1. Domain Suffix tree
>> dn:fqdn=webserver1.example.org,cn=computers,cn=accounts,dc=example,dc=org
>>
>> 2. CA store in DS. Certificate system of IPA stores certificate in it's
>> ldap store (ou=certificateRepository,ou=ca,o=ipaca)
>>
>>
>>>
>>> cya
>>>
>>> Craig
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list