[Freeipa-users] How to get a new cert
Florence Blanc-Renaud
flo at redhat.com
Wed Sep 28 13:47:00 UTC 2016
On 09/27/2016 08:00 PM, Bret Wortman wrote:
> That looks like it worked, but I have a follow-on question:
>
> I need to provide my RabbitMQ instance with a cacert file, a cert, and a
> key file. These seem to be .pem files. Is there an easy way to gather
> these 3 files from a typical IPA client node?
>
Hi,
you can retrieve the new cert using the GUI. Navigate to Identity tab,
then Users or Hosts or Services and pick your user, host or service. You
will find in the "Actions" button a command to "Get Certificate". This
will open a new window with the content of the cert, that you can
copy/paste into mycert.pem.
Once you have obtained mycert.pem, you can add it to the NSS database
that you used previously in order to generate the CSR:
$ certutil -A -d path_to_database -i mycert.pem -t u,u,u -n mycert
Add IPA CA to the nss database:
$ certutil -A -d path_to_database -n "IPA CA" -t CT,, -a < /etc/ipa/ca.crt
Then pk12util and openssl will allow you to extract the key and certs
through a temp keys.p12 file:
$ pk12util -o keys.p12 -n mycert -d path_to_database
$ openssl pkcs12 -in keys.p12 -out mykey.pem -nodes
The output is mykey.pem which contains the key, the new certificate and
IPA CA certificate.
HTH,
Flo.
> Merci!
>
>
> Bret
>
>
> On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:
>> Hi Bret,
>>
>> would the following be helpful? In "Linux Domain Identity,
>> Authentication, and Policy Guide", Chapter 17.1.1 Requesting New
>> Certificates for a User, Host, or Service [1]
>>
>> Flo.
>>
>> [1]
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request
>>
>>
>> On 09/27/2016 04:20 PM, Bret Wortman wrote:
>>> Is there a guide anywhere for how to obtain an SSL certificate for a new
>>> server & service from the IPA CA master? Most of the guides I'm seeing
>>> online use web pages at the major CAs to do this and I'd like to keep it
>>> in the family.
>>>
>>> Thanks!
>>>
>>>
>>> --
>>> *Bret Wortman*
>>> <http://wrapbuddies.co/>
>>> http://wrapbuddies.co/
>>>
>>>
>>
>
More information about the Freeipa-users
mailing list