[Freeipa-users] services and openSSL and stuff

Sat Apr 26 12:29:20 UTC 2014

I might as well write this down here :)

I have found this mechanism works:

On the service machine:
  - openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
# a common name must be entered here which is the hostname

In the IPA interface:
  - Services
  - Add
  - HTTP/service.domain.com at DOMAIN.COM
  - New Certificate
  - Paste the output of the 'openssl' command
  - Get
  - Copy contents

On the service machine:
  - Paste contents -> /etc/pki/tls/certs/ca.crt
  - Move private key -> /etc/pki/tls/certs/ca.key
  - adjust "SSLCertificateFile" in apache
  - adjust "SSLCertificateKeyFile" in apache

However running:
ipa-getcert request -f /etc/pki/tls/certs/ca.crt -k /etc/pki/tls/certs/ca.key -r

replaces all of the above. It will return something like:
"New signing request "20140426115309" added."

If you want to replace the certificate run this first.
ipa-getcert stop-tracking -i 20140426115309

Else you will see this message:
Certificate at same location is already used by request with nickname
"20140426115309".

And here is some official docs I just found:
http://www.freeipa.org/page/Certmonger#OpenSSL

On 26 April 2014 09:02, Andrew Holway <andrew.holway at gmail.com> wrote:
>> There are also some good docs and examples in the certmonger git repo in
>> docs folder and here.
>> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/certmongerX.html
>
> Hi,
>
> The docs seem to explain quite well how to request a certificate but
> not how to actually issue a certificate. I'm looking at guides like
> this - http://wiki.centos.org/HowTos/Https - and wondering how I fill
> in the bits that are missing.
>
> I guess the real issue that I am facing here is that I want to get an
> openssl certificate signed by freeipa which is nss. I am guessing that
> you cant do this with certmonger?
>
> Sorry if I am being somewhat confusing. Im struggling to get my head
> around all this.