Oops ... You are right... My mistake. Sorry for the noise. Problem is soved.
Regards, C. L. Martinez -----Original Message----- From: Rob Crittenden <rcrit...@redhat.com> Sent: Wednesday, July 26, 2023 14:28 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Carlos Lopez <clo...@outlook.com>; Jernej Jakob <jernej.ja...@abak.si> Subject: Re: [Freeipa-users] Re: Exporting certificates with keys associated in FreeIPA Jernej Jakob via FreeIPA-users wrote: > On Wed, 26 Jul 2023 11:10:23 +0000 > Carlos Lopez via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > wrote: > >> Hi all, >> >> Sorry to disturb but I can not find which is the correct procedure to >> accomplish this. I have created a certificate in WebUI and I can export >> certificate in pem format, which it is what I need. But I need the private >> key also. This certificate is for a host outside of Kerberos and LDAP's >> FreeIPA domain. >> >> How can I export pem cert and key file? >> >> Regards, >> C. L. Martinez >> > > While I don't know the answer to your question, I can say that the > private key should not leave the server (machine, service, user,...) > which uses it. The standard procedure for PKI is to generate a private > key on the machine, generate a CSR, send the CSR to the CA to get > signed (which issues the certificate), then install the certificate > back on the machine. If the machine is enrolled into FreeIPA you can > do this with certmonger. If not, you can probably still get FreeIPA to > sign your CSR. This is correct. The private key (CSR) is generated on the requestors machine and submitted to the IPA CA by the user. IPA only has the public key (certificate). As mentioned, there are a couple of ways to submit requests. One can do it using the CLI using cert-request, or the WebUI which leverages the same call or have certmoner do it. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
