[Freeipa-users] Obtaining certificate private keys for Apache/etc.
Martin Kosek
mkosek at redhat.com
Wed Feb 3 08:12:23 UTC 2016
On 02/03/2016 12:42 AM, Christopher Young wrote:
> I've been doing some reading and perhaps I'm confusing myself, but I
> couldn't find any definitive guide on how to go about doing what I
> think it a pretty simple thing.
>
> My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
> each host when they are registered. I'd like to utilize that
> certificate with Apache/tomcat/etc.. I'm aware of how to obtain the
> certificate itself, however I'm not clear on how to obtain the private
> key (in a format that I can use as well) that was used to generate the
> certificate.
>
> Would someone kindly point me in the right direction or ideally just
> educate me on the command/options needed to do this. In particular,
> I'm looking to create pem files for both the key and cert for use with
> Apache, but it would be useful to understand how to do it for other
> stores as well. (Hint: this would be great to just have in a document
> that makes it clear). :)
Hi Chris,
I do not think it is a good idea to do what you are doing :-) The host
certificate does not need to be the same as Web certificate. From FreeIPA 4.1
(IIRC), it is not even requested by default on all clients.
I would rather recommend generating a separate certificate for the Web UI, we
have some walkthrough here:
http://www.freeipa.org/page/PKI#Requesting_a_new_certificate
> Thanks again to the freeipa team. I love this product.
And I love to hear notes from the community like this, very rewarding!
More information about the Freeipa-users
mailing list