I created some service certificates for some of my machines that are using FreeIPA. I followed the instructions that were in the web interface. Now, we need to establish the keys so that we can use them for TLS communications between nodes. I am trying to figure out how to create the keys that would be associated with the certificate and then export them in pkcs12 format. Does anyone know of any resources that would help me out? I've been having a hard time finding resources that apply to what I am trying to do.
Thanks,
The newbie
On 11/16/20 10:38 AM, Scott Reed via FreeIPA-users wrote:
I created some service certificates for some of my machines that are using FreeIPA. I followed the instructions that were in the web interface. Now, we need to establish the keys so that we can use them for TLS communications between nodes. I am trying to figure out how to create the keys that would be associated with the certificate and then export them in pkcs12 format. Does anyone know of any resources that would help me out? I've been having a hard time finding resources that apply to what I am trying to do.
Thanks,
The newbie _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
I assume that you followed instructions similar to what is described here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
The webUI guided you and asked to run # certutil -N -d <database path> # certutil -R -d <database path> -a -g <key size> -s <subject> -8 <hostname>
The first command created a NSS database in the specified path, and the second one generated a key in this database + a certificate request using this key. This means that you already have the key in the database.
You can then import the new cert in the DB and export cert + key in a pkcs12 file:
1/ export the certificate in a pem file: in the webui you can click on "Actions" near the certificate and select "Download". This will allow to store the cert in a pem file, for instance cert.pem
2/ add the certificate in the NSS database used in the previous steps: # certutil -A -d <database path> -n <alias> -t P,, -i <path to cert.pem>
3/ export the cert and keys into a p12 file # pk12util -d <database path> -o bundle.p12 -n <alias>
The file bundle.p12 will contain both the key and the cert.
HTH, flo
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
Scott Reed