On 3/19/19 7:07 PM, Azim Siddiqui wrote:
Hi,
I was wondering is there any way, I can extract the private key and
certificate from nssdb directory? Bcoz the one key i have is not
matching to the certifficate.
Hi
I am insisting, but please keep freeipa-users in copy.
What do you mean by "extract"? Do you want to remove the key from the
nssdb? or transform it into another format?
To remove a private key from a nssdb, use the certutil command with -F
option. You can find the full format in the man page certutil(1).
If you want to create a PKCS12 file containing the private key and
certificate:
pk12util -o keys.p12 -n $alias -d $NSSDB
If you want a PEM file containing the private key:
pk12util -o keys.p12 -n $alias -d $NSSDB
openssl pkcs12 -in keys.p12 -out cert.key -nodes
If you want a PEM file containing the cert:
certutil -L -d $NSSDB -n $alias -a -o cert.pem
But first of all, which NSSDB directory are you working with? A NSSDB
can contain multiple keys and certificates, and also certificates
without matching private keys. Can you show the content of your NSSDB?
certutil -L -d $NSSDB
certutil -K -d $NSSDB
flo
Thanks,
Azeem
On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud <[email protected]
<mailto:[email protected]>> wrote:
On 3/19/19 4:18 PM, Azim Siddiqui wrote:
> Hi Florence,
>
> Thanks for the info. I will check for the ipa cert-find command
and will
> send you the output. Actually, when I am trying to do $ kinit
admin it
> is asking for a password. And I am not sure about the password, as I
> said it was set by the previous system admin.
>
Hi
(re-adding freeipa-users in cc)
if you do kinit -kt /etc/krb5.keytab you should also have enough
permissions to perform ipa cert-find.
> And also I can see there is nssdb directory on the server. Do you
by any
> chance know, what is that for?
There are many nssdb directories on a FreeIPA system. For instance
/etc/ipa/nssdb is the NSS database used by the ipa * commands. It
contains the certificates of the trusted certificate authorities. You
can find more information re. NSS databases in the man page for
certutil(1).
>
> If I have the private key on the server, how can I renew the
certificate
> signed by IPA. can you please provide me the steps.
If you have the private key in $NSSDB database you just need to follow
the steps provided in my first email
(https://lists.fedorahosted.org/archives/list/[email protected]/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/).
flo
>
> thanks & Regards,
> Azeem
>
> On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud
<[email protected] <mailto:[email protected]>
> <mailto:[email protected] <mailto:[email protected]>>> wrote:
>
> On 3/18/19 7:50 PM, Azim Siddiqui wrote:
> > Hi Florence,
> >
> > Thanks for your reply.
> > I am referring to the applications. For example, we have
> > Apache,haproxy,jenkins,git which uses certs signed by IPA. And
> now when
> > I am browsing these applications urls. It is showing, this
site
> is not
> > secured.
> > And originally, This cert were created by a system admin,
who is not
> > working with us now. So its getting hard for me to figure out,
> how can I
> > create or renew the certs.
> >
> > And I don't see any files ssl.conf or nss.conf in the server.
> > The output for getcert list command shows this :-
> > getcert list
> > Number of certificates and requests being tracked: 0.
> >
> >
> > I just want to create a crt and key file signed by IPA. So
that I
> can
> > use it for the browsers.
> Hi,
>
> please keep the users mailing list in cc, so that everyone
can get
> involved/see the resolution.
>
> It is difficult to provide advice with so few information.
Can you
> start
> by checking which certificates were already issued by
FreeIPA, and
> we'll
> see if they are expired?
>
> $ kinit admin
> $ ipa cert-find
>
> With the full output and based on the subject you'll be able to
> identify
> the host or service certs that you are using for your
applications. For
> each of these certs, run
> $ kinit admin
> $ ipa cert-show <serial number>
> and the output will show if the cert is expired (check the
Not After
> field).
>
> For an expired cert, you will be able to renew the cert if
you still
> have the private key. The private key location can be found
by checking
> the configuration of your applications.
> For instance apache on rhel or fedora stores its config in
> /etc/httpd/conf/httpd.conf, which by default loads the modules in
> conf.modules.d/*.conf and the config files in conf.d/*.conf.
>
> flo
> >
> > Thanks,
> > Azeem
> >
> >
> > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud
> <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> > <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>> wrote:
> >
> > On 3/15/19 8:16 PM, Azim Siddiqui wrote:
> > > Hi Florence,
> > >
> > > Hope you are doing good. I tried the way you said. But
> still, it is
> > > showing certificate is expired.
> > >
> > > Let me be more clear about it.
> > >
> > > We have apache running with an expired certificate
which is
> > signed by
> > > FreeIPA. Now I want to renew or create a new
certificate.
> So can you
> > > please tell me how can I renew or create a new
certificate
> signed by
> > > Freeipa.
> > > As whenever I am going to the Apache URL from the
browser,
> it is
> > showing
> > > site is not secured.
> > >
> > > Thanks & Regards,
> > > Azeem
> > >
> > Hi,
> >
> > (re-adding freeipa-users in CC).
> > Can you first confirm that you are referring to a cert for
> the apache
> > server *not running on one of the FreeIPA masters*?
> >
> > Then please explain how you originally obtained the
> certificate. Also
> > include the following information:
> > - relevant apache configuration (if using mod_ssl, then
> > /etc/httpd/conf.d/ssl.conf or if using mod_nss,
> > /etc/httpd/conf.d/nss.conf).
> > - output of getcert list on the host running apache
> >
> > flo
> >
> > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud
> > <[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
> > > <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
> <mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>>> wrote:
> > >
> > > On 12/13/18 4:04 PM, Azim Siddiqui via
FreeIPA-users
> wrote:
> > > > Hello,
> > > >
> > > > Hope you are doing good. I have a question
regarding
> > freeIPA host
> > > > certificates.
> > > > We are using FreeIPA as our LDAP. We have some
> > certificates for
> > > hosts ex
> > > > :- http/uat.com <http://uat.com>
<http://uat.com> <http://uat.com>
> <http://uat.com>
> > <http://uat.com>.
> > > > And we deploying the certs in Haproxy in PEM
format.
> > > > But the certificates for this host has been
expired.
> > > > Can you please let me know in detail how to
renew
> my expired
> > > > certificates for the hosts. Please provide
me the
> commands
> > and steps.
> > > >
> > > Hi,
> > >
> > > from your description I understand that you are
> referring to
> > > certificates delivered by IPA CA for one of the
> IPA-enrolled
> > hosts, but
> > > not the master's Server-Cert used for IPA Web GUI.
> > >
> > > In this case, how did you obtain the
certificate? If
> you used
> > a method
> > > similar to what is described in this wiki [1], the
> certificate
> > > should be
> > > monitored by certmonger and automatically renewed.
> > >
> > > If you followed instead this wiki [2], the
certificate
> is not
> > > tracked by
> > > certmonger and needs to be manually renewed.
You need
> to do the
> > > following, assuming that the cert is in a NSS
database
> $NSSDB
> > on the
> > > IPA
> > > client:
> > > - find the key nickname
> > > # certutil -K -d $NSSDB
> > > certutil: Checking token "NSS Certificate DB"
in slot "NSS
> > User Private
> > > Key and Certificate Services"
> > > Enter Password or Pin for "NSS Certificate DB":
> > > < 0> rsa
> 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS
> > > Certificate
> > > DB:Server-Cert
> > > (note the key nickname for the next command)
> > >
> > > - create a new certificate request that will
re-use the
> > existing key
> > > (replace DOMAIN.COM <http://DOMAIN.COM>
<http://DOMAIN.COM>
> <http://DOMAIN.COM> <http://DOMAIN.COM>
> > with your IPA domain, in
> > > uppercase):
> > > # certutil -R -d $NSSDB -k "NSS Certificate
> DB:Server-Cert" -s
> > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM>
<http://DOMAIN.COM>
> <http://DOMAIN.COM>
> > <http://DOMAIN.COM>" -a -o /tmp/cert.csr
> > > Enter Password or Pin for "NSS Certificate DB":
> > >
> > > - request a certificate using the new
certificate request
> > > # kinit admin
> > > # ipa cert-request --principal=HTTP/`hostname`
> /tmp/web.csr
> > > (the output will display a Serial Number that
needs to be
> > noted for the
> > > next command)
> > >
> > > - remove the previous cert from the NSS database:
> > > # certutil -D -d $NSSDB -n Server-Cert
> > >
> > > - export the certificate to a file, then import the
> > certificate in the
> > > NSS database:
> > > # ipa cert-show $SERIAL_NUMBER
--out=/tmp/server.crt
> > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i
> > /tmp/server.crt
> > >
> > > HTH,
> > > flo
> > >
> > > [1]
> > >
> >
>
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
> > > [2]
> https://www.freeipa.org/page/PKI#Manual_certificate_requests
> > >
> > > > FreeIPA, version: 4.2.0
> > > >
> > > > Thanks & Regards,
> > > > Azeem
> > > >
> > > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > > [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>>
> > > > To unsubscribe send an email to
> > > [email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>
> > >
<mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>
> > <mailto:[email protected]
<mailto:[email protected]>
> <mailto:[email protected]
<mailto:[email protected]>>>>
> > > > Fedora Code of Conduct:
> > https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> >
>
https://lists.fedorahosted.org/archives/list/[email protected]
> > > >
> > >
> >
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
