[Freeipa-users] service cert to a host/member/service
Rob Crittenden
rcritten at redhat.com
Wed May 4 17:26:27 UTC 2016
lejeczek wrote:
> hi users,
>
> as one follows official docs and issues a certificate for a
> service/host, one wonders what is the correct way to move such a
> certificate to a host(which is domain member) ?
> I understand certificates issued with:
>
> $ ipa cert-request -add --principal
>
> are stored in ldap backend, (yet I don't quite get the difference
> between that tool and ipa-certget).
The first uses the IPA command-line to get a cert directly. ipa-getcert
uses certmonger.
If you are getting a certificate for another host, particularly if that
host isn't an IPA client, then the first form is the way to go.
> How do I get such a certificate off the server and to a host-not-server?
$ ipa cert-show <serial#> --out cert.pem
> In my case I'm hoping to use this certificate in apache+nss.
> I realize I also will need CA certificate on that host, which I got hold
> of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the
> right way?
So in this case you'd want to generate the CSR on the host-not-server
using certutil. You'd take that CSR to the enrolled host and run ipa
cert-request ...
Get a copy of the cert and get that and /etc/ipa/ca.crt to the
host-not-server.
Use certutil to add both to your NSS database.
rob
More information about the Freeipa-users
mailing list