lejeczek via FreeIPA-users wrote:
> On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote:
>> lejeczek via FreeIPA-users wrote:
>>> hello fallas
>>> those certs I see with:
>>> $ ipa cert-find
>>> is it possible to get private key(s) for a given cert? With means of
>>> (any)command line?
>> Not from the CA, no.
>> The CA doesn't store the private keys for the certificates it issues and
>> never sees them at all.
>> You need access to the filesystem containing the private keys to be able
>> to retrieve/extract them.
>> FreeIPA-users mailing list -- firstname.lastname@example.org
>> To unsubscribe send an email to
> so these are replicas/host certs created during replica/host add that
> I'm looking at - where IPA stores those private keys?
> Would there be any howto on how to get cert+keys pair in standard pem
> out of IPA to use outside of IPA?
Depends on what you mean by outside of IPA.
It is a rather terrible idea to share keys between services
security-wise, especially given how easy it is to get a cert from IPA.
That said, it isn't a secret where they are stored. The web cert/key is
in /etc/httpd/alias and the ldap cert/key is in /etc/dirsrv/slapd-REALM
You can use pk12util to export the cert and key as a PKCS#12 file and
then openssl pkcs12 to extract the key from that.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org