[Freeipa-users] service cert to a host/member/service
lejeczek
peljasz at yahoo.co.uk
Thu May 5 09:44:39 UTC 2016
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
> lejeczek wrote:
> > hi users,
> >
> > as one follows official docs and issues a certificate for a
> > service/host, one wonders what is the correct way to move such a
> > certificate to a host(which is domain member) ?
> > I understand certificates issued with:
> >
> > $ ipa cert-request -add --principal
> >
> > are stored in ldap backend, (yet I don't quite get the difference
> > between that tool and ipa-certget).
>
> The first uses the IPA command-line to get a cert directly. ipa-
> getcert
> uses certmonger.
>
> If you are getting a certificate for another host, particularly if
> that
> host isn't an IPA client, then the first form is the way to go.
>
> > How do I get such a certificate off the server and to a host-not-
> > server?
>
> $ ipa cert-show <serial#> --out cert.pem
>
> > In my case I'm hoping to use this certificate in apache+nss.
> > I realize I also will need CA certificate on that host, which I got
> > hold
> > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's
> > the
> > right way?
>
> So in this case you'd want to generate the CSR on the host-not-
> server
> using certutil. You'd take that CSR to the enrolled host and run ipa
> cert-request ...
>
> Get a copy of the cert and get that and /etc/ipa/ca.crt to the
Is this the only place where IPA' CA cert resides?
I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
$ certutil -d /etc/dirsrv/slapd-MY..
gets me:
MY-DOMAIN IPA CA CT,C,C
Server-Cert u,u,u
what is that IPA CA then?
I also see the same with:
$ certutil -d /etc/httpd/alias -L
Is this the same one certificate? (including /etc/ipa/ca.crt)
I get these with: ipa-getcert list
I'm guessing these are set up by installer and to be managed by
certmonger, for DS and web server for certificates auto management
purposes?
many thanks.
> host-not-server.
>
> Use certutil to add both to your NSS database.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160505/c9719f89/attachment.htm>
More information about the Freeipa-users
mailing list