[Freeipa-users] Generating a Certificate Signing Request
Rob Crittenden
rcritten at redhat.com
Wed Jul 15 14:58:53 UTC 2009
James Roman wrote:
> I've seen that you can import a CA signed certificate into freeipa.
> Normally, with fedora directory server, you would generate a CSR using
> the Certificate Request Wizard and them import the signed certificate.
> Are there any instructions on generating a CSR for use with freeipa?
You can install an IPA server using a given set of PKCS#12 files, yes.
IPA requires SSL from the get-go so you can't install it in non-SSL mode
and then add it, like you can with basic Apache and 389.
To get these PKCS#12 files (one for Apache and one for 389) you can use
any tool you'd like including openssl and the NSS certutil utilities
(and pk12util to make the PKCS#12).
When generating the CSR be sure to set the CN in the subject to match
the FQDN of the IPA server.
An example of doing this using the NSS utilies (which I'm more familiar
with) would be:
Start by creating a new, temporary NSS database
$ mkdir ipacerts
$ certutil -N -d ipacerts
Now generate a CSR
$ certutil -R -d ipacerts -s "CN=ipa.example.com,OU=IPA,O=example" -g
1024 -a -o csr.txt
<hit keys to generate random data for the key>
1024 is the key size, use a larger key if you'd like
Your CSR is in csr.txt
Once you get the cert, import it. In this example the cert is in the
file cert.txt
$ certutil -A -n Server-Cert -d ipacerts -t u,u,u -a < cert.txt
You'll also want to add the CA that issued the cert to the database, say
that's in ca.txt
$ certutil -A -n "CA certificate" -d ipacerts -t CT,, -a < ca.txt
Verify that everything is a-ok
$ certutil -V -u V -n Server-Cert -d ipacerts
(should return valid certificate)
Export the cert
$ pk12util -o cert.p12 -n Server-Cert -d ipacerts
A few notes:
- There is nothing magical about the "Server-Cert" nickname. Use any
unique string you'd like.
- You need to add the CA so that it gets put into the PKCS#12 file along
with the server cert
I think that covers it.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090715/07469416/attachment.bin>
More information about the Freeipa-users
mailing list