[Freeipa-users] services and openSSL and stuff
Andrew Holway
andrew.holway at gmail.com
Sat Apr 26 12:29:20 UTC 2014
I might as well write this down here :)
I have found this mechanism works:
On the service machine:
- openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
# a common name must be entered here which is the hostname
In the IPA interface:
- Services
- Add
- HTTP/service.domain.com at DOMAIN.COM
- New Certificate
- Paste the output of the 'openssl' command
- Get
- Copy contents
On the service machine:
- Paste contents -> /etc/pki/tls/certs/ca.crt
- Move private key -> /etc/pki/tls/certs/ca.key
- adjust "SSLCertificateFile" in apache
- adjust "SSLCertificateKeyFile" in apache
However running:
ipa-getcert request -f /etc/pki/tls/certs/ca.crt -k /etc/pki/tls/certs/ca.key -r
replaces all of the above. It will return something like:
"New signing request "20140426115309" added."
If you want to replace the certificate run this first.
ipa-getcert stop-tracking -i 20140426115309
Else you will see this message:
Certificate at same location is already used by request with nickname
"20140426115309".
And here is some official docs I just found:
http://www.freeipa.org/page/Certmonger#OpenSSL
On 26 April 2014 09:02, Andrew Holway <andrew.holway at gmail.com> wrote:
>> There are also some good docs and examples in the certmonger git repo in
>> docs folder and here.
>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/certmongerX.html
>
> Hi,
>
> The docs seem to explain quite well how to request a certificate but
> not how to actually issue a certificate. I'm looking at guides like
> this - http://wiki.centos.org/HowTos/Https - and wondering how I fill
> in the bits that are missing.
>
> I guess the real issue that I am facing here is that I want to get an
> openssl certificate signed by freeipa which is nss. I am guessing that
> you cant do this with certmonger?
>
> Sorry if I am being somewhat confusing. Im struggling to get my head
> around all this.
More information about the Freeipa-users
mailing list