8:05 a.m.
https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip...
I'm going to try this scheme instead of CA
Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you
1:Generate ca-key ca-cert
#openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
2: Generate certificate signing request:
#openssl req -new -key ca-key -out csr.csr
3:Generate pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem
4:install freeipa
root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert
Installing CA certificate, please wait
CA certificate successfully installed
5:install http.pem
root@migration-ipa-65:~/test_ca# ipa-server-certinstall \
--dirman-pass xxx \
--http /root/test_ca/http.pem --pin xxx
No server certificates found in
/root/test_ca/http.pem
The ipa-server-certinstall command failed.
1:11 a.m.
https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ip...
I'm going to try this scheme instead of CA
Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. Thank you
1:Generate ca-key ca-cert
#openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
2: Generate certificate signing request:
#openssl req -new -key ca-key -out csr.csr
3:Generate pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem
openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem
4:install freeipa
root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert
Installing CA certificate, please wait
CA certificate successfully installed
5:install http.pem
root@migration-ipa-65:~/test_ca# ipa-server-certinstall \
No server certificates found in
/root/test_ca/http.pem
The ipa-server-certinstall command failed.
https://mariadb.com/docs/security/data-in-transit-encryption/create-self-...
Pem client-req.pem is replaced by httpd.pem, which is the same error. How do I need to
generate the certificate to execute it correctly?Freeipa document part is really difficult
to find, please help, thank you
2:36 a.m.
New subject: No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
https://mariadb.com/docs/security/data-in-transit-encryption/create-self-...
Pem client-req.pem is replaced by httpd.pem, which is the same error. How do I need to
generate the certificate to execute it correctly?Freeipa document part is really
difficult
to find, please help, thank you
root@migration-ipa-65:~/maria_ca# ipa-cacert-manage -p directorypassxx -n yydevopsca -t
C,, install ca-cert.pem
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
root@migration-ipa-65:~/maria_ca# ipa-certupdate
trying https://migration-ipa-65.185.hiido.host.yydevops.com/ipa/json
Forwarding 'ca_is_enabled' to json server
'https://migration-ipa-65.185.hiido.host.yydevops.com/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
root@migration-ipa-65:~/maria_ca# ipa-server-certinstall -w -d
/root/maria_ca/server-key.pem /root/maria_ca/server-cert.pem
Directory Manager password:
Enter private key unlock password:
The ipa-server-certinstall command was successful
Resolved, there is a host name limitation, hope the document can be completed
8:20 a.m.
New subject: No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
roy liang via FreeIPA-users wrote:
>
https://mariadb.com/docs/security/data-in-transit-encryption/create-self-...
>
> Pem client-req.pem is replaced by httpd.pem, which is the same error. How do I need
to
> generate the certificate to execute it correctly?Freeipa document part is really
difficult
> to find, please help, thank you
root@migration-ipa-65:~/maria_ca# ipa-cacert-manage -p directorypassxx -n yydevopsca -t
C,, install ca-cert.pem
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
root@migration-ipa-65:~/maria_ca# ipa-certupdate
trying https://migration-ipa-65.185.hiido.host.yydevops.com/ipa/json
Forwarding 'ca_is_enabled' to json server
'https://migration-ipa-65.185.hiido.host.yydevops.com/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
root@migration-ipa-65:~/maria_ca# ipa-server-certinstall -w -d
/root/maria_ca/server-key.pem /root/maria_ca/server-cert.pem
Directory Manager password:
Enter private key unlock password:
The ipa-server-certinstall command was successful
Resolved, there is a host name limitation, hope the document can be completed
Documents like this are for testing purposes only. We don't want to
encourage/enable users to roll their own PKI solution as it is bound to
lead to problems.
The mariadb instructions issue 10-year server certificates which is well
out of best practices for production systems. It also almost guarantees
that this will all have to be re-done from scratch because in 10 years
either nobody will remember how to issue new certificates or the CA key
will be lost to time. The certificates it generates also don't follow
X.509 best practices regarding extensions.
They may work fine for you but it's a time bomb and you could have
interoperability problems.
If you do intend to maintain your own I'd strongly encourage you to take
steps to protect the CA key and retain instructions for issuing new
certificates for when they eventually expire and set a calendar reminder.
rob
8:49 a.m.
New subject: No server certificates found in /xx/http.pem The ipa-server-certinstall command failed.
Hi,
Rob Crittenden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Documents like this are for testing purposes only. We don't want
to
encourage/enable users to roll their own PKI solution as it is bound to
lead to problems.
I can confirm it's a real problem.
The mariadb instructions issue 10-year server certificates which is
well
out of best practices for production systems. It also almost guarantees
that this will all have to be re-done from scratch because in 10 years
either nobody will remember how to issue new certificates or the CA key
will be lost to time. The certificates it generates also don't follow
X.509 best practices regarding extensions.
They may work fine for you but it's a time bomb and you could have
interoperability problems.
I used to have a little CA with easyCA and created certificates for
internal use for a couple of years. Once the browser world moved to
newer requirements I needed to recreate some server certs. The last blow
was that the CA signing key was no longer accepted by the browsers. When
that happened I replaced all cert with FreeIPA issued certs and never
looked back. certmonger is a killer tool here - no more manual
certificate switches...
I assume we'll see stronger requirements every couple of years now.
Jochen
--
This space is intentionally left blank.
665
days inactive
666
days old
freeipa-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Jochen Kellner -
Rob Crittenden -
roy liang