[Freeipa-users] Replace with 3rd part certificates
Andreas Ladanyi
andreas.ladanyi at kit.edu
Wed Jul 6 14:41:23 UTC 2016
Hi Rob,
>> Hi,
>>
>> is it possible that ipa-server-certinstall couldnt handle private keys
>> without password ?
>
> You can file an RFE at https://fedorahosted.org/freeipa/newticket
It seems that ipa-server-certinstall couldnt handle private keys with
passwort, too. See my result below.
>
>> i would test it with a self-signed certificate and test private key file
>> secured with password, but i dont know whats happen after entering a
>> valid private key unlock password. Could i stop the certificate import
>> process at this point, so no change will happen to my productive ipa
>> server ?
>
> I would not recommend experimenting with random certificates.
>
> It should be possible to add a password to your private key. A quick
> google found
> http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key
Thats a great idea. I have done so and tested again:
openssl rsa -des3 -in private.key -out private_key_with_pw.key
ipa-server-certinstall -w certificate.pem private_key_with_pw.key
After entering the password to unlock private key i get the message:
Insufficient access: Invalid credentials
Andreas
More information about the Freeipa-users
mailing list