Rob Crittenden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
certmonger doesn't support storing certificates in a java
keystore.
certmonger has the concept of pre and post renewal scripts so you can,
for example stop or start a service, or import a renewed certificate
somewhere else (IPA uses this to store a copy of some certificates in LDAP).
So theoretically certmonger could for example, track PEM files in the
filesystem and upon renewal run a post script to import the updated cert
into the java keystore.
This is my current script to get a cert from IPA, which is tracked by
certmonger. I've yet to test refreshing a certificate, but the steps
manually did work (I excpect some SELINUX woes...):
# Get a certificate and key from IPA
#ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \
# -k /etc/pki/tls/private/saml.example.org.key \
# -N
CN=saml.example.org \
# -D
saml.example.org \
# -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1
## -C "<here-we-call-the-commands-below>"
cd /opt/jboss/keycloak/standalone/configuration
# We need to have the password we use on the keystore also as the key password.
# IPA keys do not have a password - let's add one to a temp file.
openssl rsa -des3 -in /etc/pki/tls/private/saml.example.org.key -out saml.example.org.key
\
-passout file:/opt/jboss/keycloak/standalone/configuration/keystore.password
# Combine the key, the cert, and the CA cert into a pkcs12 file, which we'll
# import with keytool later. We need two password files with the same content,
# otherwise we'll get "Error reading password from BIO".
openssl pkcs12 -export \
-passin
file:/opt/jboss/keycloak/standalone/configuration/keystore.password \
-passout
file:/opt/jboss/keycloak/standalone/configuration/keystore.password2 \
-in /etc/pki/tls/certs/saml.example.org.crt -inkey saml.example.org.key \
-CAfile /etc/ipa/ca.crt -out temp.p12 -chain
#-in /etc/pki/tls/certs/saml.example.org.crt -inkey
/etc/pki/tls/private/saml.example.org.key \
# Now we can import our "pkcs12 keystore" into the keytool keystore we'll
use
# for wildfly/keycloak
keytool -importkeystore -trustcacerts \
-srckeystore temp.p12 -srcstoretype PKCS12 \
-srcstorepass:file /opt/jboss/keycloak/standalone/configuration/keystore.password
\
-destkeypass:file /opt/jboss/keycloak/standalone/configuration/keystore.password
\
-deststorepass:file /opt/jboss/keycloak/standalone/configuration/keystore.password
\
-destkeystore /opt/jboss/keycloak/standalone/configuration/keycloak.jks
# We might now restart keycloak to activate the new certificate
#systemctl restart keycloak.service
Puh, there were some hurdles, some google-fu needed, and lots of
trial-and-error. I'm not sure how we can help other users of keytool,
but I'm confident to get automatic refresh implemented,
Jochen
--
This space is intentionally left blank.