Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> certmonger doesn't support storing certificates in a java keystore.
>
> certmonger has the concept of pre and post renewal scripts so you can,
> for example stop or start a service, or import a renewed certificate
> somewhere else (IPA uses this to store a copy of some certificates in LDAP).
>
> So theoretically certmonger could for example, track PEM files in the
> filesystem and upon renewal run a post script to import the updated cert
> into the java keystore.

This is my current script to get a cert from IPA, which is tracked by
certmonger.  I've yet to test refreshing a certificate, but the steps
manually did work (I excpect some SELINUX woes...):

# Get a certificate and key from IPA
#ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \
#                       -k /etc/pki/tls/private/saml.example.org.key \
#                       -N CN=saml.example.org \
#                       -D saml.example.org \
#                       -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1
##                       -C "<here-we-call-the-commands-below>"

cd /opt/jboss/keycloak/standalone/configuration

# We need to have the password we use on the keystore also as the key password.
# IPA keys do not have a password - let's add one to a temp file.
openssl rsa -des3 -in /etc/pki/tls/private/saml.example.org.key -out 
saml.example.org.key \
            -passout 
file:/opt/jboss/keycloak/standalone/configuration/keystore.password

# Combine the key, the cert, and the CA cert into a pkcs12 file, which we'll
# import with keytool later.  We need two password files with the same content,
# otherwise we'll get "Error reading password from BIO".
openssl pkcs12 -export \
               -passin  
file:/opt/jboss/keycloak/standalone/configuration/keystore.password \
               -passout 
file:/opt/jboss/keycloak/standalone/configuration/keystore.password2 \
               -in /etc/pki/tls/certs/saml.example.org.crt -inkey 
saml.example.org.key \
               -CAfile /etc/ipa/ca.crt -out temp.p12 -chain
               #-in /etc/pki/tls/certs/saml.example.org.crt -inkey 
/etc/pki/tls/private/saml.example.org.key \

# Now we can import our "pkcs12 keystore" into the keytool keystore we'll use
# for wildfly/keycloak
keytool -importkeystore -trustcacerts \
        -srckeystore temp.p12 -srcstoretype PKCS12 \
        -srcstorepass:file 
/opt/jboss/keycloak/standalone/configuration/keystore.password \
        -destkeypass:file 
/opt/jboss/keycloak/standalone/configuration/keystore.password \
        -deststorepass:file 
/opt/jboss/keycloak/standalone/configuration/keystore.password \
        -destkeystore /opt/jboss/keycloak/standalone/configuration/keycloak.jks

# We might now restart keycloak to activate the new certificate
#systemctl restart keycloak.service

Puh, there were some hurdles, some google-fu needed, and lots of
trial-and-error. I'm not sure how we can help other users of keytool,
but I'm confident to get automatic refresh implemented,

Jochen

-- 
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to