Jochen Kellner via FreeIPA-users wrote:
> Hi,
> 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" 
> <>
> schrieb:
>> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users 
>> wrote:
>>> I'm playing around with keycloak and wanted to use an SSL certificate
>>> from IPA. I've looked around but didn't see any howto about using java
>>> keytool with ipa-getcert. Has someone experience with it?
>> Might as well jump straight to commands/logs :)
> I did some more research yesterday and finally got a certificate
> along the following lines:
> - Generate a java keystore with keytool as described in the keycloak docs.
> - Generate a csr with keytool and paste it into Freeipa.
> - Got a certificate back from Freeipa.
> - Import the certificate into keytool (again keycloak docs).
> My first tries had the cert attributes wrong, but I think I now got it right,
> but need to check with chrome to be sure. I'll post my steps later.
> I was not successful in creating a certificate with ipa-getcert and
> import the key into keytool. But I'll try to get something monitored by
> certmonger - otherwise I'm sure the cert would expire... 

certmonger doesn't support storing certificates in a java keystore.

certmonger has the concept of pre and post renewal scripts so you can,
for example stop or start a service, or import a renewed certificate
somewhere else (IPA uses this to store a copy of some certificates in LDAP).

So theoretically certmonger could for example, track PEM files in the
filesystem and upon renewal run a post script to import the updated cert
into the java keystore.

The tricky bit might be in dealing with the CSR. certmonger needs the
private key in order do the renewal.

I guess one thing you could do is a straight ipa-getcert -f
/path/to/cert.pem -k /path/to/key.pem ... <other options> -C

Then take the resulting PEM files, create a PKCS#12 file out of them,
and import that into your java keystore. Then all renewals will run that
post-script which you can setup to update the cert in the java keystore.
I guess.

I don't know much at all about java so there is a lot of hand waving
going on. I hope some of it makes some sense/is doable.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to