Rob Crittenden via FreeIPA-users <firstname.lastname@example.org>
> certmonger doesn't support storing certificates in a java keystore.
> certmonger has the concept of pre and post renewal scripts so you can,
> for example stop or start a service, or import a renewed certificate
> somewhere else (IPA uses this to store a copy of some certificates in LDAP).
> So theoretically certmonger could for example, track PEM files in the
> filesystem and upon renewal run a post script to import the updated cert
> into the java keystore.
This is my current script to get a cert from IPA, which is tracked by
certmonger. I've yet to test refreshing a certificate, but the steps
manually did work (I excpect some SELINUX woes...):
# Get a certificate and key from IPA
#ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \
# -k /etc/pki/tls/private/saml.example.org.key \
# -N CN=saml.example.org \
# -D saml.example.org \
# -K HTTP/saml.example.org -U 126.96.36.199.188.8.131.52.1
## -C "<here-we-call-the-commands-below>"
# We need to have the password we use on the keystore also as the key password.
# IPA keys do not have a password - let's add one to a temp file.
openssl rsa -des3 -in /etc/pki/tls/private/saml.example.org.key -out
# Combine the key, the cert, and the CA cert into a pkcs12 file, which we'll
# import with keytool later. We need two password files with the same content,
# otherwise we'll get "Error reading password from BIO".
openssl pkcs12 -export \
-in /etc/pki/tls/certs/saml.example.org.crt -inkey
-CAfile /etc/ipa/ca.crt -out temp.p12 -chain
#-in /etc/pki/tls/certs/saml.example.org.crt -inkey
# Now we can import our "pkcs12 keystore" into the keytool keystore we'll use
# for wildfly/keycloak
keytool -importkeystore -trustcacerts \
-srckeystore temp.p12 -srcstoretype PKCS12 \
# We might now restart keycloak to activate the new certificate
#systemctl restart keycloak.service
Puh, there were some hurdles, some google-fu needed, and lots of
trial-and-error. I'm not sure how we can help other users of keytool,
but I'm confident to get automatic refresh implemented,
This space is intentionally left blank.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org