Rob Crittenden via FreeIPA-users <>

> certmonger doesn't support storing certificates in a java keystore.
> certmonger has the concept of pre and post renewal scripts so you can,
> for example stop or start a service, or import a renewed certificate
> somewhere else (IPA uses this to store a copy of some certificates in LDAP).
> So theoretically certmonger could for example, track PEM files in the
> filesystem and upon renewal run a post script to import the updated cert
> into the java keystore.

This is my current script to get a cert from IPA, which is tracked by
certmonger.  I've yet to test refreshing a certificate, but the steps
manually did work (I excpect some SELINUX woes...):

# Get a certificate and key from IPA
#ipa-getcert request -w -f /etc/pki/tls/certs/ \
#                       -k /etc/pki/tls/private/ \
#                       -N \
#                       -D \
#                       -K HTTP/ -U
##                       -C "<here-we-call-the-commands-below>"

cd /opt/jboss/keycloak/standalone/configuration

# We need to have the password we use on the keystore also as the key password.
# IPA keys do not have a password - let's add one to a temp file.
openssl rsa -des3 -in /etc/pki/tls/private/ -out \

# Combine the key, the cert, and the CA cert into a pkcs12 file, which we'll
# import with keytool later.  We need two password files with the same content,
# otherwise we'll get "Error reading password from BIO".
openssl pkcs12 -export \
file:/opt/jboss/keycloak/standalone/configuration/keystore.password \
file:/opt/jboss/keycloak/standalone/configuration/keystore.password2 \
               -in /etc/pki/tls/certs/ -inkey \
               -CAfile /etc/ipa/ca.crt -out temp.p12 -chain
               #-in /etc/pki/tls/certs/ -inkey 
/etc/pki/tls/private/ \

# Now we can import our "pkcs12 keystore" into the keytool keystore we'll use
# for wildfly/keycloak
keytool -importkeystore -trustcacerts \
        -srckeystore temp.p12 -srcstoretype PKCS12 \
/opt/jboss/keycloak/standalone/configuration/keystore.password \
/opt/jboss/keycloak/standalone/configuration/keystore.password \
/opt/jboss/keycloak/standalone/configuration/keystore.password \
        -destkeystore /opt/jboss/keycloak/standalone/configuration/keycloak.jks

# We might now restart keycloak to activate the new certificate
#systemctl restart keycloak.service

Puh, there were some hurdles, some google-fu needed, and lots of
trial-and-error. I'm not sure how we can help other users of keytool,
but I'm confident to get automatic refresh implemented,


This space is intentionally left blank.
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to