On Tue, Oct 17, 2023 at 8:20 PM HUANG, TONY via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hi Rob,The CSR is generated within the web UI by following this section "Web UI: Requesting new certificates" ( https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/certificates )
If you followed this guide, the procedure involves certutil and a NSS database:
This means that your private key is stored in the NSS database in <database path>. In order to extract the key, you need first to add the cert to the NSS database with
certutil -A -d <database path> -n <nickname> -t u,u,u -i <certificate.crt>
Then create a p12 file containing cert + pem:
pk12util -d <database path> -n <nickname> -o file.p12
And finally extract key from the p12 file:
openssl pkcs12 -in file.p12 -nocerts -out privateKey.pem
HTH,
flo
I am looking to perform an authenticated ldapsearch using certificate-based authentication so I don't have to pass username and password onto the command line when searching against cn=groups,cn=accounts. Looks like only authenticated ldapsearch will yield memberOf info (usernames that belong to the group), but an anonymous ldapsearch will only yield group container info without memberOf UIDs.This document ( https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/securing_red_hat_directory_server/assembly_configuring-certificate-based-authentication_securing-rhds ) says we need to have .ldaprc which include user's private key, therefore my original question.LDAPTLS_CACERT=/home/user_name/CA.crt
LDAPTLS_KEY=/home/user_name/user.key
LDAPTLS_CERT=/home/user_name/user.derWill my certificate-based ldapsearch work without user.key defined?so far I haven't been able to perform the ldapsearch because I am getting:ldap_start_tls: Can't contact LDAP server (-1) additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).Any pointers will be greatly appreciated!--Tony_______________________________________________On Tue, Oct 17, 2023 at 4:58 AM Rob Crittenden <rcritten@redhat.com> wrote:HUANG, TONY via FreeIPA-users wrote:
> Hi,
>
> I am trying to achieve user authentication against IdM using user's
> certificate. User certificate is requested to the built-in CA within IdM
> and signed by it.
>
> I am able to download the user's public cert via the web UI, but how can
> I download the private key so I can define it in user's .ldaprc file?
IPA never has access to a user's private key. A key is generated by a
user (e.g. openssl genrsa) and a CSR (Certificate Signing Request) using
that (openssl req). So the user should already possess the private key.
This is assuming the user used openssl to generate the key. With NSS the
private key would in whatever database was used to create the CSR.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue