[Freeipa-users] FreeIPA SSL certificates installed to multiple hosts
Alexander Bokovoy
abokovoy at redhat.com
Wed Jul 20 16:13:06 UTC 2016
On Tue, 19 Jul 2016, Rob Crittenden wrote:
>Jeremy Utley wrote:
>>Hello all!
>>
>>We're looking at replacing a lot of our currently self-signed internal
>>SSL certificates in our infrastructure with certificates generated by
>>the FreeIPA CA. However, I've run into something that I haven't been
>>able to find documented as of yet, and I'm hoping some of you can point
>>me in the right direction. Some of our internal SSL sites are
>>load-balanced between multiple hosts, so we end up with the same SSL/Key
>>installed to each host. For example:
>>
>>hostname.domain.com <http://hostname.domain.com> is hosted on hostA and
>>hostB.
>>
>>Both hostA and hostB have the certs at
>>/etc/httpd/certs/hostname.domain.com/hostname.crt
>><http://hostname.domain.com/hostname.crt>, and the private key at
>>/etc/httpd/certs/hostname.domain.com/hostname.key
>><http://hostname.domain.com/hostname.key>
>>
>>I would expect I can have both hostA and hostB be able to work with the
>>FreeIPA certificates by adding additional ipa host-add-managedby and ipa
>>service-add-host commands, to specify both hostA and hostB. However,
>>from my understanding, running the "ipa-getcert request" command on
>>hostA will put the certs on hostA only, and I'd need the same certs on
>>both hostA and hostB. Is there a special ipa-getcert incantation that
>>can retrieve the already-issued certificate files, and allow them to be
>>managed by FreeIPA on both hosts? Or is there another recommended way
>>of doing this?
>>
>>Thanks for any info you can give me!
>>
>
>IPA doesn't have any provision for sharing keys between machines. I
>think you'd need to manage it similar to the way you probably do now:
>manually copying files around.
>
>What you can do is setup one machine to "own" the certs and keys and
>do the renewals via certmonger, but beyond that you're on your own.
In FreeIPA 4.4.x we provide (and use for own needs) Custodia[1] which
can be used to store and retrieve a commonly accessed secrets. It would
be interesting to extend certmonger to be able to retrieve a certificate
material stored in Custodia. A post-retrieval script could be added to
push the certificate material to Custodia on a master.
[1] https://github.com/latchset/custodia
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list