[Freeipa-users] service cert to a host/member/service

Petr Vobornik pvoborni at redhat.com
Thu May 5 11:49:32 UTC 2016 

On 05/05/2016 11:44 AM, lejeczek wrote:
> On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
>> lejeczek wrote:
>>> hi users, as one follows official docs and issues a certificate for a 
>>> service/host, one wonders what is the correct way to move such a certificate 
>>> to a host(which is domain member) ? I understand certificates issued with: $ 
>>> ipa cert-re­quest -add --prin­ci­pal are stored in ldap backend, (yet I don't 
>>> quite get the difference between that tool and ipa-certget). 
>>
>>
>> The first uses the IPA command-line to get a cert directly. ipa-getcert
>> uses certmonger.
>>
>> If you are getting a certificate for another host, particularly if that
>> host isn't an IPA client, then the first form is the way to go.
>>
>>> How do I get such a certificate off the server and to a host-not-server? 
>>
>>
>> $ ipa cert-show <serial#> --out cert.pem
>>
>>> In my case I'm hoping to use this certificate in apache+nss. I realize I also 
>>> will need CA certificate on that host, which I got hold of with certutil 
>>> operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? 
>>
>>
>> So in this case you'd want to generate the CSR on the host-not-server
>> using certutil. You'd take that CSR to the enrolled host and run ipa
>> cert-request ...
>>
>> Get a copy of the cert and get that and /etc/ipa/ca.crt to the
> Is this the only place where IPA' CA cert resides?
> I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
> $ certutil -d /etc/dirsrv/slapd-MY..
> gets me:
> 
> MY-DOMAIN IPA CACT,C,C
> Server-Certu,u,u
> 
> what is that IPA CA then?
> I also see the same with:
> $ certutil -d /etc/httpd/alias -L
> Is this the same one certificate? (including /etc/ipa/ca.crt)
> 
> I get these with: ipa-getcert list
> I'm guessing these are set up by installer and to be managed by certmonger, for 
> DS and web server for certificates auto management purposes?

You can use generic `getcert` tool to get all certs managed by
certmonger and their location. It will show you also PKI internal certs.

  # getcert list

`ipa-getcert list` is equivalent to `getcert list -c IPA`

> 
> many thanks.
> 
>> host-not-server.
>>
>> Use certutil to add both to your NSS database.
>>
>> rob
>>
> 
-- 
Petr Vobornik

More information about the Freeipa-users mailing list