On 11/16/20 10:38 AM, Scott Reed via FreeIPA-users wrote:
I created some service certificates for some of my machines that are using
FreeIPA. I followed the instructions that were in the web interface. Now, we
need to establish the keys so that we can use them for TLS communications
between nodes. I am trying to figure out how to create the keys that would be
associated with the certificate and then export them in pkcs12 format. Does
anyone know of any resources that would help me out? I've been having a hard
time finding resources that apply to what I am trying to do.
Thanks,
The newbie
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Hi,
I assume that you followed instructions similar to what is described here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/certificates#certificate-request
The webUI guided you and asked to run
# certutil -N -d <database path>
# certutil -R -d <database path> -a -g <key size> -s <subject> -8 <hostname>
The first command created a NSS database in the specified path, and the
second one generated a key in this database + a certificate request
using this key. This means that you already have the key in the database.
You can then import the new cert in the DB and export cert + key in a
pkcs12 file:
1/ export the certificate in a pem file: in the webui you can click on
"Actions" near the certificate and select "Download". This will allow to
store the cert in a pem file, for instance cert.pem
2/ add the certificate in the NSS database used in the previous steps:
# certutil -A -d <database path> -n <alias> -t P,, -i <path to cert.pem>
3/ export the cert and keys into a p12 file
# pk12util -d <database path> -o bundle.p12 -n <alias>
The file bundle.p12 will contain both the key and the cert.
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org