[Freeipa-users] Cockpit Integration part II - SSL certificates
Fraser Tweedale
ftweedal at redhat.com
Mon Jan 4 01:43:26 UTC 2016
On Sun, Dec 27, 2015 at 05:43:32PM +0100, Jochen Hein wrote:
>
> Hi,
>
> Right now cockpit still uses a locally created TLS certificate, that
> should be changed to a IPA issued certificate. What I understood is
> that a certificate is for a host (e.g. ipa.example.com), so apache and
> cockpit should use the same certificate. Is that understanding correct?
>
> So this is what I did:
>
> # cp cert8.db key3.db secmod.db pwdfile.txt /tmp/
> # cd /tmp
> # pk12util -o keys.p12 -n 'Server-Cert' -d . -k /etc/httpd/alias/pwdfile.txt
> # openssl pkcs12 -in keys.p12 -out freeipa.key -nodes -clcerts
> # cp freeipa.key /etc/cockpit/ws-certs.d/freeipa.cert
> # systemctl restart cockpit.service
>
> Now Cockpit and apache use the same certificate, but the cockpit
> certificate is not tracked by certmonger. Any idea how that could
> work?
>
Either Cockpit should use the certificate and private key directly
from the NSSDB so that certmonger only has to track one certificate
(but Cockpit appears to require key and cert in PEM format so this
may not be possible), or use Certmonger to issue and track a
different certificate for Cockpit (perhaps with a dedicated service
principal for Cockpit, but this is not necessary).
Use the `-f' and `-k' getcert-request(1) options to get Certmonger
to create and track PEM key and cert instead of NSSDB.
Cheers,
Fraser
> Jochen
>
> --
> The only problem with troubleshooting is that the trouble shoots back.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list