[Freeipa-users] vaults and service accounts

Martin Basti mbasti at redhat.com
Mon Jul 25 14:36:03 UTC 2016 


On 25.07.2016 16:22, Anthony Clark wrote:
> I wondered about that, but the docs specifically say public key, and 
> the command line option to "ipa vault-add" is "--public-key"
>
> From "ipa vault-add --help"
>
>   --public-key=BYTES    Vault public key
>   --public-key-file=STR   File containing the vault public key
>
> So I hope you can understand my confusion ;)
>
> Can anyone else speak to whether the newer versions of the vault code 
> is any different?
>
> Thank you, Martin!
>
Yeah sorry, I meant public key, private key is used for decipher.

My point was just not to use certificate.

Martin

>
> On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti <mbasti at redhat.com 
> <mailto:mbasti at redhat.com>> wrote:
>
>
>
>     On 24.07.2016 16:33, Anthony Clark wrote:
>>     Hello All,
>>
>>     I have a crazy notion of storing a host's SSH private keys in a
>>     ipa vault, so that a rebuilt host can use the same keys.
>>
>>     I'm on CentOS 7.2 and I'm using the RPMs available in the
>>     standard centos base repository, so I'm constrained to version
>>     1.0 vaults.  I'm using this page:
>>     http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance
>>
>>     I'm trying these following steps but running into trouble:
>>
>>     ipa service-add ssh/test01.dev.redacted.net
>>     <http://test01.dev.redacted.net>
>>
>>     certutil -N -d testcertdb
>>
>>     certutil -R -d testcertdb -a -g 2048 -s
>>     'CN=test01.dev.redacted.net
>>     <http://test01.dev.redacted.net>,O=DEV.REDACTED.NET
>>     <http://DEV.REDACTED.NET>'
>>     <paste that csr into the ipa web gui>
>>
>>     ipa-getcert request -r -f testsshd01-cert.pem -k
>>     testsshd01-key.pem -K
>>     ssh/test01.dev.redacted.net at DEV.REDACTED.NET
>>     <mailto:test01.dev.redacted.net at DEV.REDACTED.NET>
>>
>>     ipa vault-add testsshd02 --service
>>     ssh/test01.dev.redacted.net at DEV.REDACTED.NET
>>     <mailto:test01.dev.redacted.net at DEV.REDACTED.NET> --type
>>     asymmetric --public-key-file testsshd01-cert.pem
>>
>>     the last command gives me "ipa: ERROR: invalid
>>     'ipavaultpublickey': Invalid or unsupported vault public key:
>>     Could not unserialize key data."
>>
>>     Is there a preferred way to create a public key for asymmetric
>>     encryption for a service vault?
>>
>>     Thanks,
>>
>>     Anthony Clark
>>
>>
>
>     Hello,
>     I suspect you should use just private key, not certificate
>
>     https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL
>
>     Regards,
>     Martin
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160725/86d8a959/attachment.htm>

More information about the Freeipa-users mailing list