On 11/16/20 10:38 AM, Scott Reed via FreeIPA-users wrote:
I created some service certificates for some of my machines that are
using FreeIPA. I followed the instructions that were in the web interface. Now, we need
to establish the keys so that we can use them for TLS communications between nodes. I am
trying to figure out how to create the keys that would be associated with the certificate
and then export them in pkcs12 format. Does anyone know of any resources that would help
me out? I've been having a hard time finding resources that apply to what I am trying
to do.
Thanks,
The newbie
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Hi,
I assume that you followed instructions similar to what is described here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
The webUI guided you and asked to run
# certutil -N -d <database path>
# certutil -R -d <database path> -a -g <key size> -s <subject> -8
<hostname>
The first command created a NSS database in the specified path, and the
second one generated a key in this database + a certificate request
using this key. This means that you already have the key in the database.
You can then import the new cert in the DB and export cert + key in a
pkcs12 file:
1/ export the certificate in a pem file: in the webui you can click on
"Actions" near the certificate and select "Download". This will allow
to
store the cert in a pem file, for instance cert.pem
2/ add the certificate in the NSS database used in the previous steps:
# certutil -A -d <database path> -n <alias> -t P,, -i <path to
cert.pem>
3/ export the cert and keys into a p12 file
# pk12util -d <database path> -o bundle.p12 -n <alias>
The file bundle.p12 will contain both the key and the cert.
HTH,
flo