lejeczek via FreeIPA-users wrote: > > > On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote: >> lejeczek via FreeIPA-users wrote: >>> hello fallas >>> >>> those certs I see with: >>> $ ipa cert-find >>> is it possible to get private key(s) for a given cert? With means of >>> (any)command line? >> Not from the CA, no. >> >> The CA doesn't store the private keys for the certificates it issues and >> never sees them at all. >> >> You need access to the filesystem containing the private keys to be able >> to retrieve/extract them. >> >> rob >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org > so these are replicas/host certs created during replica/host add that > I'm looking at - where IPA stores those private keys? > Would there be any howto on how to get cert+keys pair in standard pem > out of IPA to use outside of IPA? >
Depends on what you mean by outside of IPA. It is a rather terrible idea to share keys between services security-wise, especially given how easy it is to get a cert from IPA. That said, it isn't a secret where they are stored. The web cert/key is in /etc/httpd/alias and the ldap cert/key is in /etc/dirsrv/slapd-REALM You can use pk12util to export the cert and key as a PKCS#12 file and then openssl pkcs12 to extract the key from that. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
