On Tue, 19 Jul 2016, Rob Crittenden wrote:
Jeremy Utley wrote:
Hello all!
We're looking at replacing a lot of our currently self-signed internal
SSL certificates in our infrastructure with certificates generated by
the FreeIPA CA. However, I've run into something that I haven't been
able to find documented as of yet, and I'm hoping some of you can point
me in the right direction. Some of our internal SSL sites are
load-balanced between multiple hosts, so we end up with the same SSL/Key
installed to each host. For example:
hostname.domain.com <http://hostname.domain.com> is hosted on hostA and
hostB.
Both hostA and hostB have the certs at
/etc/httpd/certs/hostname.domain.com/hostname.crt
<http://hostname.domain.com/hostname.crt>, and the private key at
/etc/httpd/certs/hostname.domain.com/hostname.key
<http://hostname.domain.com/hostname.key>
I would expect I can have both hostA and hostB be able to work with the
FreeIPA certificates by adding additional ipa host-add-managedby and ipa
service-add-host commands, to specify both hostA and hostB. However,
from my understanding, running the "ipa-getcert request" command on
hostA will put the certs on hostA only, and I'd need the same certs on
both hostA and hostB. Is there a special ipa-getcert incantation that
can retrieve the already-issued certificate files, and allow them to be
managed by FreeIPA on both hosts? Or is there another recommended way
of doing this?
Thanks for any info you can give me!
IPA doesn't have any provision for sharing keys between machines. I
think you'd need to manage it similar to the way you probably do now:
manually copying files around.
What you can do is setup one machine to "own" the certs and keys and
do the renewals via certmonger, but beyond that you're on your own.
In FreeIPA 4.4.x we provide (and use for own needs) Custodia[1] which
can be used to store and retrieve a commonly accessed secrets. It would
be interesting to extend certmonger to be able to retrieve a certificate
material stored in Custodia. A post-retrieval script could be added to
push the certificate material to Custodia on a master.
[1] https://github.com/latchset/custodia
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
