[Freeipa-users] vaults and service accounts
Martin Basti
mbasti at redhat.com
Mon Jul 25 14:36:03 UTC 2016
On 25.07.2016 16:22, Anthony Clark wrote:
> I wondered about that, but the docs specifically say public key, and
> the command line option to "ipa vault-add" is "--public-key"
>
> From "ipa vault-add --help"
>
> --public-key=BYTES Vault public key
> --public-key-file=STR File containing the vault public key
>
> So I hope you can understand my confusion ;)
>
> Can anyone else speak to whether the newer versions of the vault code
> is any different?
>
> Thank you, Martin!
>
Yeah sorry, I meant public key, private key is used for decipher.
My point was just not to use certificate.
Martin
>
> On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
>
> On 24.07.2016 16:33, Anthony Clark wrote:
>> Hello All,
>>
>> I have a crazy notion of storing a host's SSH private keys in a
>> ipa vault, so that a rebuilt host can use the same keys.
>>
>> I'm on CentOS 7.2 and I'm using the RPMs available in the
>> standard centos base repository, so I'm constrained to version
>> 1.0 vaults. I'm using this page:
>> http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance
>>
>> I'm trying these following steps but running into trouble:
>>
>> ipa service-add ssh/test01.dev.redacted.net
>> <http://test01.dev.redacted.net>
>>
>> certutil -N -d testcertdb
>>
>> certutil -R -d testcertdb -a -g 2048 -s
>> 'CN=test01.dev.redacted.net
>> <http://test01.dev.redacted.net>,O=DEV.REDACTED.NET
>> <http://DEV.REDACTED.NET>'
>> <paste that csr into the ipa web gui>
>>
>> ipa-getcert request -r -f testsshd01-cert.pem -k
>> testsshd01-key.pem -K
>> ssh/test01.dev.redacted.net at DEV.REDACTED.NET
>> <mailto:test01.dev.redacted.net at DEV.REDACTED.NET>
>>
>> ipa vault-add testsshd02 --service
>> ssh/test01.dev.redacted.net at DEV.REDACTED.NET
>> <mailto:test01.dev.redacted.net at DEV.REDACTED.NET> --type
>> asymmetric --public-key-file testsshd01-cert.pem
>>
>> the last command gives me "ipa: ERROR: invalid
>> 'ipavaultpublickey': Invalid or unsupported vault public key:
>> Could not unserialize key data."
>>
>> Is there a preferred way to create a public key for asymmetric
>> encryption for a service vault?
>>
>> Thanks,
>>
>> Anthony Clark
>>
>>
>
> Hello,
> I suspect you should use just private key, not certificate
>
> https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL
>
> Regards,
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160725/86d8a959/attachment.htm>
More information about the Freeipa-users
mailing list