Got a strange one for the list ...
I've got a lovely multi-region replicating FreeIPA cluster spanning a few AWS VPCs that is doing a fantastic job stitching together a complex Active Directory topology
Now, however I have a need to support clients in a different, less trusted VPC and the firewall people want to do a MiTM attack on the TLS/HTTPS streams so they can intercept, decrypt and monitor HTTPS traffic -- including apparently to and from the IPA nodes.
They want the SSL cert and key used by the HTTPS interface on the IPA systems so they can set up the intercept properly.
My main question -- how do I properly extract the key and certificate from FreeIPA?
From reading and poking around it looks like the certs I want are in /etc/httpd/alias but must be access by the 'certutil' utility which seems .. under documented ... both in the IPA docs as well as from what I can tell online.
I'm sort of terrified of breaking my installation by screwing up certificate work.
Can anyone provide tips, URLs or a cheatsheet for pulling SSL certificates and keys out of FreeIPA? Particularly the cert and key that is used on the HTTPS TCP:443 interface?
Thanks!
Chris
On 7/2/19 2:32 PM, Chris Dagdigian via FreeIPA-users wrote:
Got a strange one for the list ...
I've got a lovely multi-region replicating FreeIPA cluster spanning a few AWS VPCs that is doing a fantastic job stitching together a complex Active Directory topology
Now, however I have a need to support clients in a different, less trusted VPC and the firewall people want to do a MiTM attack on the TLS/HTTPS streams so they can intercept, decrypt and monitor HTTPS traffic -- including apparently to and from the IPA nodes.
They want the SSL cert and key used by the HTTPS interface on the IPA systems so they can set up the intercept properly.
My main question -- how do I properly extract the key and certificate from FreeIPA?
From reading and poking around it looks like the certs I want are in /etc/httpd/alias but must be access by the 'certutil' utility which seems .. under documented ... both in the IPA docs as well as from what I can tell online.
I'm sort of terrified of breaking my installation by screwing up certificate work.
Can anyone provide tips, URLs or a cheatsheet for pulling SSL certificates and keys out of FreeIPA? Particularly the cert and key that is used on the HTTPS TCP:443 interface?
Hi,
the steps differ depending on the version you are using. From ipa 4.7+, the http server cert is stored in /var/lib/ipa/certs/httpd.crt (PEM format) and the key is in /var/lib/ipa/private/httpd.key.
For older versions, the cert/key are stored in the NSS database /etc/httpd/alias with the nickname 'Server-Cert'. It is possible to extract the server and key as a p12 file with $ pk12util -o /path/to/file.p12 -n Server-Cert -d /etc/httpd/alias/ -k /etc/httpd/alias/pwdfile.txt (the tool will ask you to provide a password to protect the p12 file). Note that the p12 file will also contain the CA cert.
If you need a different format, you can use the following command to create a PEM file with the key only: openssl pkcs12 -in /path/to/file.p12 -out /path/to/httpd.key -nodes -nocerts (warning, you need to protect the httpd.key file with appropriate file permissions). And the following to extract the cert only: $ openssl pkcs12 -in /path/to/file.p12 -clcerts -nokeys -out /path/to/httpd.crt
Also note that each IPA master may have a different cert/key for httpd (the subject is usually CN=hostname.domain.com,O=DOMAIN.COM)
HTH, flo
Thanks!
Chris
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org