[Freeipa-users] vaults and service accounts
Martin Basti
mbasti at redhat.com
Mon Jul 25 08:32:09 UTC 2016
On 24.07.2016 16:33, Anthony Clark wrote:
> Hello All,
>
> I have a crazy notion of storing a host's SSH private keys in a ipa
> vault, so that a rebuilt host can use the same keys.
>
> I'm on CentOS 7.2 and I'm using the RPMs available in the standard
> centos base repository, so I'm constrained to version 1.0 vaults. I'm
> using this page:
> http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance
>
> I'm trying these following steps but running into trouble:
>
> ipa service-add ssh/test01.dev.redacted.net
> <http://test01.dev.redacted.net>
>
> certutil -N -d testcertdb
>
> certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net
> <http://test01.dev.redacted.net>,O=DEV.REDACTED.NET
> <http://DEV.REDACTED.NET>'
> <paste that csr into the ipa web gui>
>
> ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K
> ssh/test01.dev.redacted.net at DEV.REDACTED.NET
> <mailto:test01.dev.redacted.net at DEV.REDACTED.NET>
>
> ipa vault-add testsshd02 --service
> ssh/test01.dev.redacted.net at DEV.REDACTED.NET
> <mailto:test01.dev.redacted.net at DEV.REDACTED.NET> --type asymmetric
> --public-key-file testsshd01-cert.pem
>
> the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey':
> Invalid or unsupported vault public key: Could not unserialize key data."
>
> Is there a preferred way to create a public key for asymmetric
> encryption for a service vault?
>
> Thanks,
>
> Anthony Clark
>
>
Hello,
I suspect you should use just private key, not certificate
https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL
Regards,
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160725/bcc7bee6/attachment.htm>
More information about the Freeipa-users
mailing list