On Wed, 26 Jul 2023 11:10:23 +0000 Carlos Lopez via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi all,
Sorry to disturb but I can not find which is the correct procedure to accomplish this. I have created a certificate in WebUI and I can export certificate in pem format, which it is what I need. But I need the private key also. This certificate is for a host outside of Kerberos and LDAP's FreeIPA domain.
How can I export pem cert and key file?
Regards, C. L. Martinez
While I don't know the answer to your question, I can say that the private key should not leave the server (machine, service, user,...) which uses it. The standard procedure for PKI is to generate a private key on the machine, generate a CSR, send the CSR to the CA to get signed (which issues the certificate), then install the certificate back on the machine. If the machine is enrolled into FreeIPA you can do this with certmonger. If not, you can probably still get FreeIPA to sign your CSR.
Jernej Jakob via FreeIPA-users wrote:
On Wed, 26 Jul 2023 11:10:23 +0000 Carlos Lopez via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi all,
Sorry to disturb but I can not find which is the correct procedure to accomplish this. I have created a certificate in WebUI and I can export certificate in pem format, which it is what I need. But I need the private key also. This certificate is for a host outside of Kerberos and LDAP's FreeIPA domain.
How can I export pem cert and key file?
Regards, C. L. Martinez
While I don't know the answer to your question, I can say that the private key should not leave the server (machine, service, user,...) which uses it. The standard procedure for PKI is to generate a private key on the machine, generate a CSR, send the CSR to the CA to get signed (which issues the certificate), then install the certificate back on the machine. If the machine is enrolled into FreeIPA you can do this with certmonger. If not, you can probably still get FreeIPA to sign your CSR.
This is correct. The private key (CSR) is generated on the requestors machine and submitted to the IPA CA by the user. IPA only has the public key (certificate).
As mentioned, there are a couple of ways to submit requests. One can do it using the CLI using cert-request, or the WebUI which leverages the same call or have certmoner do it.
rob
Oops ... You are right... My mistake. Sorry for the noise.
Problem is soved.
Regards, C. L. Martinez
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Wednesday, July 26, 2023 14:28 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Carlos Lopez clopmz@outlook.com; Jernej Jakob jernej.jakob@abak.si Subject: Re: [Freeipa-users] Re: Exporting certificates with keys associated in FreeIPA
Jernej Jakob via FreeIPA-users wrote:
On Wed, 26 Jul 2023 11:10:23 +0000 Carlos Lopez via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi all,
Sorry to disturb but I can not find which is the correct procedure to accomplish this. I have created a certificate in WebUI and I can export certificate in pem format, which it is what I need. But I need the private key also. This certificate is for a host outside of Kerberos and LDAP's FreeIPA domain.
How can I export pem cert and key file?
Regards, C. L. Martinez
While I don't know the answer to your question, I can say that the private key should not leave the server (machine, service, user,...) which uses it. The standard procedure for PKI is to generate a private key on the machine, generate a CSR, send the CSR to the CA to get signed (which issues the certificate), then install the certificate back on the machine. If the machine is enrolled into FreeIPA you can do this with certmonger. If not, you can probably still get FreeIPA to sign your CSR.
This is correct. The private key (CSR) is generated on the requestors machine and submitted to the IPA CA by the user. IPA only has the public key (certificate).
As mentioned, there are a couple of ways to submit requests. One can do it using the CLI using cert-request, or the WebUI which leverages the same call or have certmoner do it.
rob
Hi,
if you used the WebUI to generate a cert, you had to type a few commands in a terminal, like: certutil -N -d <database path> certutil -R -d <database path> -a -g <key size> -s 'CN=employee,O= DEMO1.FREEIPA.ORG'
This means that you generated a key in the NSS database. When you used the WebUI to issue the cert, the new cert was added to the entry. You can retrieve it from the WebUI with the Actions > Download button, and you will obtain a pem file that you can load in the NSS database with certutil -d <database path> -A -n <nickname> -t u,u,u
Then use pk12util to generate a p12 file containing the cert and the key: pk12util -o outputfile.p12 -d <database path> -n <nickname>
Warning, the file contains the private key and the certificate and should be protected. HTH, flo
On Wed, Jul 26, 2023 at 1:50 PM Jernej Jakob via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Wed, 26 Jul 2023 11:10:23 +0000 Carlos Lopez via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi all,
Sorry to disturb but I can not find which is the correct procedure to
accomplish this. I have created a certificate in WebUI and I can export certificate in pem format, which it is what I need. But I need the private key also. This certificate is for a host outside of Kerberos and LDAP's FreeIPA domain.
How can I export pem cert and key file?
Regards, C. L. Martinez
While I don't know the answer to your question, I can say that the private key should not leave the server (machine, service, user,...) which uses it. The standard procedure for PKI is to generate a private key on the machine, generate a CSR, send the CSR to the CA to get signed (which issues the certificate), then install the certificate back on the machine. If the machine is enrolled into FreeIPA you can do this with certmonger. If not, you can probably still get FreeIPA to sign your CSR. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org