Techmail via FreeIPA-users wrote:
I'm setting up a RabbitMQ server on our internal network, and I thought
now would be a good time to figure out how to use FreeIPA to issue certs
for services to enable TLS. (Only internal systems with the IPA cert
will access the system.) However, I'm running into a couple of problems.
I'm following the FreeIPA PKI Docs  on how to setup an automated cert
request with Certmonger which will put cert renewal on autopilot,
hopefully, and I'm getting stuck on step #6 of the instructions where
I'm supposed to import the IPA `ca.crt` into the nssdb which was created
Command and results of step #6:
[me(a)rabbitserver.sub.domain.tld]# certutil -A -d /etc/rabbitmq/nssdb -n
'SUB.DOMAIN.TLD IPA CA' -t CT,, -a < /etc/ipa/ca.crt
Enter Password or Pin for "NSS Certificate DB":
I don't know what password or pin it would like.
The password is whatever you set when you created /etc/rabbitmq/nssdb.
I don't remember RabbitMQ using NSS. Doesn't it need separate PEM files
for the cert and key?
I read something which suggested
on the IPA server contained the magic words which would unlock the
database, so I copied the token which is not what certutil wants to
Each NSS database typically has its own password.
Example contents of `/etc/ipa/nssdb/pin.txt` on IPA server:
Internal (Software) Token:<thispartiswhaticopied>
Here are the problems:
1. I don't know the PIN or password for `/etc/ipa/nssdb`.
But you aren't using /etc/ipa/nssdb. It's apples and oranges.
2. Would like the cert to be auto managed.
certmonger does that.
3. FreeIPA docs and RHEL docs disagree. 
They do not. You are comparing a very specific use-case, requesting a
web server cert for use with mod_nss which uses NSS, vs more generic
cases of requesting a cert for a service.
* CentOS 7
* ipa-server: 4.6.8-5.el7.centos
* CentOS Stream 8
* ipa-client: 4.9.0-1.module_el8.4.0+635+535c2b80
You probably want something like this will which generate PEM files
which IIRC is what RabbitMQ needs.
Create a rabbitmq service for the rabbit server in IPA. You can name it
whatever you want but naming it similar to the service is helpful. Every
cert needs to be stored in a bucket.
# kinit admin
# ipa service-add rabbitmq/mq.example.test
Request a cert for mq.example.test *on* mq.example.test (you need no
special IPA credentials for this. The host handles the request):
# ipa-getcert request -f /etc/pki/tls/certs/rabbitmq.pem -k
/etc/pki/tls/private/rabbitmq.key -K rabbitmq/mq.example.test -D
I think that should do it. You can extend the request with anything
special you need, like a post-install command to restart the service for
You can put the cert and key some place else if you want but be aware of