URL: https://github.com/freeipa/freeipa/pull/542
Title: #542: Implementation independent interface for CSR generation

HonzaCholasta commented:
I would rather make things simple and remove the abstraction.

We can support NSS databases by PKCS#12 export/import until we have first-class 

1. generate private key and temporary cert in the NSS database:
   `certutil -S ...`
2. export the private key from the NSS database into a temporary PKCS#12 file:
   `pk12util -o key.p12 ...`
3. delete the temporary cert from the NSS database:
   `certutil -D ...`
4. extract the private key from the temporary PKCS#12 file into a temporary 
PKCS#8 file:
   `openssl pkcs12 -in key.p12 -nocerts -out key.pem ...`
5. delete the temporary PKCS#12 file
6. request a certificate using the OpenSSL workflow on the temporary PKCS#8 file
7. import the certificate into the NSS database

Granted, this won't work with HSMs, but I think that's OK, given it is only a 
temporary solution.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to