[Freeipa-users] Obtaining certificate private keys for Apache/etc.
Rob Crittenden
rcritten at redhat.com
Thu Feb 4 08:47:05 UTC 2016
Christopher Young wrote:
> Thanks. That's good advice and good to know. I'm going to be trying
> to work this into an Ansible role, so having a command listing helps
> alot.
>
> That leads to a curious question if anyone has thought about building
> an Ansible module(s) for manipulating FreeIPA objects. I'm going to
> do some searching for that.
To close the loop, the dfault cert in IPA clients is stored in an NSS
database and NSS doesn't give up its private keys willingly. The only
way to get them is to export to a PKCS#12 file using pk12util then
extract them using openssl pkcs12.
rob
>
> On Wed, Feb 3, 2016 at 3:12 AM, Martin Kosek <mkosek at redhat.com> wrote:
>> On 02/03/2016 12:42 AM, Christopher Young wrote:
>>> I've been doing some reading and perhaps I'm confusing myself, but I
>>> couldn't find any definitive guide on how to go about doing what I
>>> think it a pretty simple thing.
>>>
>>> My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
>>> each host when they are registered. I'd like to utilize that
>>> certificate with Apache/tomcat/etc.. I'm aware of how to obtain the
>>> certificate itself, however I'm not clear on how to obtain the private
>>> key (in a format that I can use as well) that was used to generate the
>>> certificate.
>>>
>>> Would someone kindly point me in the right direction or ideally just
>>> educate me on the command/options needed to do this. In particular,
>>> I'm looking to create pem files for both the key and cert for use with
>>> Apache, but it would be useful to understand how to do it for other
>>> stores as well. (Hint: this would be great to just have in a document
>>> that makes it clear). :)
>>
>> Hi Chris,
>>
>> I do not think it is a good idea to do what you are doing :-) The host
>> certificate does not need to be the same as Web certificate. From FreeIPA 4.1
>> (IIRC), it is not even requested by default on all clients.
>>
>> I would rather recommend generating a separate certificate for the Web UI, we
>> have some walkthrough here:
>>
>> http://www.freeipa.org/page/PKI#Requesting_a_new_certificate
>>
>>> Thanks again to the freeipa team. I love this product.
>>
>> And I love to hear notes from the community like this, very rewarding!
>
More information about the Freeipa-users
mailing list