I might as well write this down here :) I have found this mechanism works:
On the service machine: - openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key # a common name must be entered here which is the hostname In the IPA interface: - Services - Add - HTTP/service.domain....@domain.com - New Certificate - Paste the output of the 'openssl' command - Get - Copy contents On the service machine: - Paste contents -> /etc/pki/tls/certs/ca.crt - Move private key -> /etc/pki/tls/certs/ca.key - adjust "SSLCertificateFile" in apache - adjust "SSLCertificateKeyFile" in apache However running: ipa-getcert request -f /etc/pki/tls/certs/ca.crt -k /etc/pki/tls/certs/ca.key -r replaces all of the above. It will return something like: "New signing request "20140426115309" added." If you want to replace the certificate run this first. ipa-getcert stop-tracking -i 20140426115309 Else you will see this message: Certificate at same location is already used by request with nickname "20140426115309". And here is some official docs I just found: http://www.freeipa.org/page/Certmonger#OpenSSL On 26 April 2014 09:02, Andrew Holway <andrew.hol...@gmail.com> wrote: >> There are also some good docs and examples in the certmonger git repo in >> docs folder and here. >> http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/certmongerX.html > > Hi, > > The docs seem to explain quite well how to request a certificate but > not how to actually issue a certificate. I'm looking at guides like > this - http://wiki.centos.org/HowTos/Https - and wondering how I fill > in the bits that are missing. > > I guess the real issue that I am facing here is that I want to get an > openssl certificate signed by freeipa which is nss. I am guessing that > you cant do this with certmonger? > > Sorry if I am being somewhat confusing. Im struggling to get my head > around all this. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users