subject:"\[Freeipa\-users\] How to get a new cert"

Re: [Freeipa-users] How to get a new cert

2016-09-28 Thread Bret Wortman


Perfect. That did the trick. Many thanks, Flo.


Bret


On 09/28/2016 09:47 AM, Florence Blanc-Renaud wrote:

On 09/27/2016 08:00 PM, Bret Wortman wrote:

That looks like it worked, but I have a follow-on question:

I need to provide my RabbitMQ instance with a cacert file, a cert, and a
key file. These seem to be .pem files. Is there an easy way to gather
these 3 files from a typical IPA client node?


Hi,

you can retrieve the new cert using the GUI. Navigate to Identity tab, 
then Users or Hosts or Services and pick your user, host or service. 
You will find in the "Actions" button a command to "Get Certificate". 
This will open a new window with the content of the cert, that you can 
copy/paste into mycert.pem.


Once you have obtained mycert.pem, you can add it to the NSS database 
that you used previously in order to generate the CSR:

$ certutil -A -d path_to_database -i mycert.pem -t u,u,u -n mycert

Add IPA CA to the nss database:
$ certutil -A -d path_to_database -n "IPA CA" -t CT,, -a < 
/etc/ipa/ca.crt


Then pk12util and openssl will allow you to extract the key and certs 
through a temp keys.p12 file:

$ pk12util -o keys.p12 -n mycert -d path_to_database
$ openssl pkcs12 -in keys.p12 -out mykey.pem -nodes

The output is mykey.pem which contains the key, the new certificate 
and IPA CA certificate.


HTH,
Flo.


Merci!


Bret


On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:

Hi Bret,

would the following be helpful? In "Linux Domain Identity,
Authentication, and Policy Guide", Chapter 17.1.1 Requesting New
Certificates for a User, Host, or Service [1]

Flo.

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request 




On 09/27/2016 04:20 PM, Bret Wortman wrote:
Is there a guide anywhere for how to obtain an SSL certificate for 
a new

server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to 
keep it

in the family.

Thanks!


--
*Bret Wortman*

http://wrapbuddies.co/










--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to get a new cert

2016-09-28 Thread Florence Blanc-Renaud

On 09/27/2016 08:00 PM, Bret Wortman wrote:

That looks like it worked, but I have a follow-on question:

I need to provide my RabbitMQ instance with a cacert file, a cert, and a
key file. These seem to be .pem files. Is there an easy way to gather
these 3 files from a typical IPA client node?

Hi,

you can retrieve the new cert using the GUI. Navigate to Identity tab,
then Users or Hosts or Services and pick your user, host or service. You
will find in the "Actions" button a command to "Get Certificate". This
will open a new window with the content of the cert, that you can
copy/paste into mycert.pem.

Once you have obtained mycert.pem, you can add it to the NSS database
that you used previously in order to generate the CSR:

$ certutil -A -d path_to_database -i mycert.pem -t u,u,u -n mycert

Add IPA CA to the nss database:
$ certutil -A -d path_to_database -n "IPA CA" -t CT,, -a < /etc/ipa/ca.crt

Then pk12util and openssl will allow you to extract the key and certs
through a temp keys.p12 file:

$ pk12util -o keys.p12 -n mycert -d path_to_database
$ openssl pkcs12 -in keys.p12 -out mykey.pem -nodes

The output is mykey.pem which contains the key, the new certificate and
IPA CA certificate.

HTH,
Flo.

Merci!

Bret

On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:

Hi Bret,

would the following be helpful? In "Linux Domain Identity,
Authentication, and Policy Guide", Chapter 17.1.1 Requesting New
Certificates for a User, Host, or Service [1]

Flo.

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request

On 09/27/2016 04:20 PM, Bret Wortman wrote:

Is there a guide anywhere for how to obtain an SSL certificate for a new
server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to keep it
in the family.

Thanks!

--
*Bret Wortman*

http://wrapbuddies.co/

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to get a new cert

2016-09-28 Thread Bret Wortman

Yeah, I'm still not getting this, and I'm probably missing something
painfully obvious.

I follow the steps here:

1. Log into the server for which I need the cert.

2. # certutil -R -d /etc/pki/nssdb -a -g 2048 -s
"CN=testesk1.internal.net,O=INTERNAL.NET" > ssl.csr

I then copy the contents of the csr file and paste it into the FreeIPA
UI after selecting Actions->New Certificiate from the Host Settings page.

3. I then click Actions->Get Certificate on that same page to extract
the contents and paste it into a new .pem file on the requesting host.

But how do I get at the key that was used in the creation of this cert?
I can get the cacert, and I've got the newly-issued cert, but what about
the key?

Thanks!

Bret

On 09/27/2016 02:00 PM, Bret Wortman wrote:

That looks like it worked, but I have a follow-on question:

I need to provide my RabbitMQ instance with a cacert file, a cert, and
a key file. These seem to be .pem files. Is there an easy way to
gather these 3 files from a typical IPA client node?

Merci!

Bret

On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:

Hi Bret,

would the following be helpful? In "Linux Domain Identity,
Authentication, and Policy Guide", Chapter 17.1.1 Requesting New
Certificates for a User, Host, or Service [1]

Flo.

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request

On 09/27/2016 04:20 PM, Bret Wortman wrote:
Is there a guide anywhere for how to obtain an SSL certificate for a
new

server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to
keep it

in the family.

Thanks!

--
*Bret Wortman*

http://wrapbuddies.co/

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to get a new cert

2016-09-27 Thread Bret Wortman


That looks like it worked, but I have a follow-on question:

I need to provide my RabbitMQ instance with a cacert file, a cert, and a 
key file. These seem to be .pem files. Is there an easy way to gather 
these 3 files from a typical IPA client node?


Merci!


Bret


On 09/27/2016 11:28 AM, Florence Blanc-Renaud wrote:

Hi Bret,

would the following be helpful? In "Linux Domain Identity, 
Authentication, and Policy Guide", Chapter 17.1.1 Requesting New 
Certificates for a User, Host, or Service [1]


Flo.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request


On 09/27/2016 04:20 PM, Bret Wortman wrote:

Is there a guide anywhere for how to obtain an SSL certificate for a new
server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to keep it
in the family.

Thanks!


--
*Bret Wortman*

http://wrapbuddies.co/






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to get a new cert

2016-09-27 Thread Florence Blanc-Renaud


Hi Bret,

would the following be helpful? In "Linux Domain Identity, 
Authentication, and Policy Guide", Chapter 17.1.1 Requesting New 
Certificates for a User, Host, or Service [1]


Flo.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request


On 09/27/2016 04:20 PM, Bret Wortman wrote:

Is there a guide anywhere for how to obtain an SSL certificate for a new
server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to keep it
in the family.

Thanks!


--
*Bret Wortman*

http://wrapbuddies.co/




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to get a new cert

2016-09-27 Thread Bret Wortman

Is there a guide anywhere for how to obtain an SSL certificate for a new 
server & service from the IPA CA master? Most of the guides I'm seeing 
online use web pages at the major CAs to do this and I'd like to keep it 
in the family.


Thanks!


--
*Bret Wortman*

http://wrapbuddies.co/
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to get a new cert

Re: [Freeipa-users] How to get a new cert

Re: [Freeipa-users] How to get a new cert

Re: [Freeipa-users] How to get a new cert

Re: [Freeipa-users] How to get a new cert

[Freeipa-users] How to get a new cert

6 matches

Site Navigation

Mail list logo

Footer information