[Freeipa-users] How to get a new cert

[Bret Wortman]

Yeah, I'm still not getting this, and I'm probably missing something 
painfully obvious.

I follow the steps here:

1. Log into the server for which I need the cert.

2. # certutil -R -d /etc/pki/nssdb -a -g 2048 -s 
"CN=testesk1.internal.net,O=INTERNAL.NET" > ssl.csr

I then copy the contents of the csr file and paste it into the FreeIPA 
UI after selecting Actions->New Certificiate from the Host Settings page.

3. I then click Actions->Get Certificate on that same page to extract 
the contents and paste it into a new .pem file on the requesting host.

But how do I get at the key that was used in the creation of this cert? 
I can get the cacert, and I've got the newly-issued cert, but what about 
the key?

Thanks!


Bret


On 09/27/2016 02:00 PM, Bret Wortman wrote:
> That looks like it worked, but I have a follow-on question:
>
> I need to provide my RabbitMQ instance with a cacert file, a cert, and 
> a key file. These seem to be .pem files. Is there an easy way to 
> gather these 3 files from a typical IPA client node?
>
> Merci!
>
>
> Bret
>
>
> On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:
>> Hi Bret,
>>
>> would the following be helpful? In "Linux Domain Identity, 
>> Authentication, and Policy Guide", Chapter 17.1.1 Requesting New 
>> Certificates for a User, Host, or Service [1]
>>
>> Flo.
>>
>> [1] 
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request
>>
>> On 09/27/2016 04:20 PM, Bret Wortman wrote:
>>> Is there a guide anywhere for how to obtain an SSL certificate for a 
>>> new
>>> server & service from the IPA CA master? Most of the guides I'm seeing
>>> online use web pages at the major CAs to do this and I'd like to 
>>> keep it
>>> in the family.
>>>
>>> Thanks!
>>>
>>>
>>> -- 
>>> *Bret Wortman*
>>> <http://wrapbuddies.co/>
>>> http://wrapbuddies.co/
>>>
>>>
>>
>