On Wed, 26 Jul 2023 11:10:23 +0000
Carlos Lopez via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
wrote:
> Hi all,
>
> Sorry to disturb but I can not find which is the correct procedure to accomplish this. I have created a certificate in WebUI and I can export certificate in pem format, which it is what I need. But I need the private key also. This certificate is for a host outside of Kerberos and LDAP's FreeIPA domain.
>
> How can I export pem cert and key file?
>
> Regards,
> C. L. Martinez
>
While I don't know the answer to your question, I can say that the
private key should not leave the server (machine, service, user,...)
which uses it. The standard procedure for PKI is to generate a private
key on the machine, generate a CSR, send the CSR to the CA to get
signed (which issues the certificate), then install the certificate
back on the machine. If the machine is enrolled into FreeIPA you can do
this with certmonger. If not, you can probably still get FreeIPA to
sign your CSR.