URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation
HonzaCholasta commented: """ I would rather make things simple and remove the abstraction. We can support NSS databases by PKCS#12 export/import until we have first-class support: 1. generate private key and temporary cert in the NSS database: `certutil -S ...` 2. export the private key from the NSS database into a temporary PKCS#12 file: `pk12util -o key.p12 ...` 3. delete the temporary cert from the NSS database: `certutil -D ...` 4. extract the private key from the temporary PKCS#12 file into a temporary PKCS#8 file: `openssl pkcs12 -in key.p12 -nocerts -out key.pem ...` 5. delete the temporary PKCS#12 file 6. request a certificate using the OpenSSL workflow on the temporary PKCS#8 file 7. import the certificate into the NSS database Granted, this won't work with HSMs, but I think that's OK, given it is only a temporary solution. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-284995622
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code