[Freeipa-users] vaults and service accounts

Anthony Clark anthonyclarka2 at gmail.com
Mon Jul 25 14:22:02 UTC 2016 

I wondered about that, but the docs specifically say public key, and the
command line option to "ipa vault-add" is "--public-key"

>From "ipa vault-add --help"

  --public-key=BYTES    Vault public key
  --public-key-file=STR   File containing the vault public key

So I hope you can understand my confusion ;)

Can anyone else speak to whether the newer versions of the vault code is
any different?

Thank you, Martin!


On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti <mbasti at redhat.com> wrote:

>
>
> On 24.07.2016 16:33, Anthony Clark wrote:
>
> Hello All,
>
> I have a crazy notion of storing a host's SSH private keys in a ipa vault,
> so that a rebuilt host can use the same keys.
>
> I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos
> base repository, so I'm constrained to version 1.0 vaults.  I'm using this
> page:
> http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance
>
> I'm trying these following steps but running into trouble:
>
> ipa service-add ssh/test01.dev.redacted.net
>
> certutil -N -d testcertdb
>
> certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net,O=
> DEV.REDACTED.NET'
> <paste that csr into the ipa web gui>
>
> ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/
> test01.dev.redacted.net at DEV.REDACTED.NET
>
> ipa vault-add testsshd02 --service ssh/
> <test01.dev.redacted.net at DEV.REDACTED.NET>
> test01.dev.redacted.net at DEV.REDACTED.NET --type asymmetric
> --public-key-file testsshd01-cert.pem
>
> the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey':
> Invalid or unsupported vault public key: Could not unserialize key data."
>
> Is there a preferred way to create a public key for asymmetric encryption
> for a service vault?
>
> Thanks,
>
> Anthony Clark
>
>
>
> Hello,
> I suspect you should use just private key, not certificate
>
> https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL
>
> Regards,
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160725/0d78885e/attachment.htm>

More information about the Freeipa-users mailing list