[Freeipa-users] How to get a new cert

Bret Wortman bret.wortman at damascusgrp.com
Wed Sep 28 13:50:56 UTC 2016 

Perfect. That did the trick. Many thanks, Flo.


Bret


On 09/28/2016 09:47 AM, Florence Blanc-Renaud wrote:
> On 09/27/2016 08:00 PM, Bret Wortman wrote:
>> That looks like it worked, but I have a follow-on question:
>>
>> I need to provide my RabbitMQ instance with a cacert file, a cert, and a
>> key file. These seem to be .pem files. Is there an easy way to gather
>> these 3 files from a typical IPA client node?
>>
> Hi,
>
> you can retrieve the new cert using the GUI. Navigate to Identity tab, 
> then Users or Hosts or Services and pick your user, host or service. 
> You will find in the "Actions" button a command to "Get Certificate". 
> This will open a new window with the content of the cert, that you can 
> copy/paste into mycert.pem.
>
> Once you have obtained mycert.pem, you can add it to the NSS database 
> that you used previously in order to generate the CSR:
> $ certutil -A -d path_to_database -i mycert.pem -t u,u,u -n mycert
>
> Add IPA CA to the nss database:
> $ certutil -A -d path_to_database -n "IPA CA" -t CT,, -a < 
> /etc/ipa/ca.crt
>
> Then pk12util and openssl will allow you to extract the key and certs 
> through a temp keys.p12 file:
> $ pk12util -o keys.p12 -n mycert -d path_to_database
> $ openssl pkcs12 -in keys.p12 -out mykey.pem -nodes
>
> The output is mykey.pem which contains the key, the new certificate 
> and IPA CA certificate.
>
> HTH,
> Flo.
>
>> Merci!
>>
>>
>> Bret
>>
>>
>> On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:
>>> Hi Bret,
>>>
>>> would the following be helpful? In "Linux Domain Identity,
>>> Authentication, and Policy Guide", Chapter 17.1.1 Requesting New
>>> Certificates for a User, Host, or Service [1]
>>>
>>> Flo.
>>>
>>> [1]
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request 
>>>
>>>
>>>
>>> On 09/27/2016 04:20 PM, Bret Wortman wrote:
>>>> Is there a guide anywhere for how to obtain an SSL certificate for 
>>>> a new
>>>> server & service from the IPA CA master? Most of the guides I'm seeing
>>>> online use web pages at the major CAs to do this and I'd like to 
>>>> keep it
>>>> in the family.
>>>>
>>>> Thanks!
>>>>
>>>>
>>>> -- 
>>>> *Bret Wortman*
>>>> <http://wrapbuddies.co/>
>>>> http://wrapbuddies.co/
>>>>
>>>>
>>>
>>
>

More information about the Freeipa-users mailing list