[Freeipa-users] service cert to a host/member/service
Rob Crittenden
rcritten at redhat.com
Thu May 5 13:07:08 UTC 2016
lejeczek wrote:
> On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
>> lejeczek wrote:
>>> hi users, as one follows official docs and issues a certificate for a
>>> service/host, one wonders what is the correct way to move such a
>>> certificate to a host(which is domain member) ? I understand
>>> certificates issued with: $ ipa cert-request -add --principal are
>>> stored in ldap backend, (yet I don't quite get the difference between
>>> that tool and ipa-certget).
>>
>>
>> The first uses the IPA command-line to get a cert directly. ipa-getcert
>> uses certmonger.
>>
>> If you are getting a certificate for another host, particularly if that
>> host isn't an IPA client, then the first form is the way to go.
>>
>>> How do I get such a certificate off the server and to a host-not-server?
>>
>>
>> $ ipa cert-show <serial#> --out cert.pem
>>
>>> In my case I'm hoping to use this certificate in apache+nss. I
>>> realize I also will need CA certificate on that host, which I got
>>> hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if
>>> it's the right way?
>>
>>
>> So in this case you'd want to generate the CSR on the host-not-server
>> using certutil. You'd take that CSR to the enrolled host and run ipa
>> cert-request ...
>>
>> Get a copy of the cert and get that and /etc/ipa/ca.crt to the
> Is this the only place where IPA' CA cert resides?
> I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
> $ certutil -d /etc/dirsrv/slapd-MY..
> gets me:
>
> MY-DOMAIN IPA CACT,C,C
> Server-Certu,u,u
>
> what is that IPA CA then?
> I also see the same with:
> $ certutil -d /etc/httpd/alias -L
> Is this the same one certificate? (including /etc/ipa/ca.crt)
Yes, these are all (or should be) the same (there is a copy in LDAP too).
> I get these with: ipa-getcert list
> I'm guessing these are set up by installer and to be managed by
> certmonger, for DS and web server for certificates auto management purposes?
Yes, certmonger manages automatic renewal.
rob
> many thanks.
>
>> host-not-server.
>>
>> Use certutil to add both to your NSS database.
>>
>> rob
>>
More information about the Freeipa-users
mailing list