Hi Florence, I want to extract the private key and certificate to a PEM file. I am talking about the nssdb which is located in /etc/pki path.
Content of nssdb :- certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI IPA.CLEAR-MARKETS.COM IPA CA CT,C,C Is this the correct directory to extract the private key and certificate? Will it work if I extract the private key from nssdb and renew the certificate? Thanks & Regards, Azeem On Thu, 21 Mar 2019 at 05:00, Florence Blanc-Renaud <[email protected]> wrote: > On 3/19/19 7:07 PM, Azim Siddiqui wrote: > > Hi, > > > > I was wondering is there any way, I can extract the private key and > > certificate from nssdb directory? Bcoz the one key i have is not > > matching to the certifficate. > > > Hi > I am insisting, but please keep freeipa-users in copy. > > What do you mean by "extract"? Do you want to remove the key from the > nssdb? or transform it into another format? > To remove a private key from a nssdb, use the certutil command with -F > option. You can find the full format in the man page certutil(1). > > If you want to create a PKCS12 file containing the private key and > certificate: > pk12util -o keys.p12 -n $alias -d $NSSDB > > If you want a PEM file containing the private key: > pk12util -o keys.p12 -n $alias -d $NSSDB > openssl pkcs12 -in keys.p12 -out cert.key -nodes > > If you want a PEM file containing the cert: > certutil -L -d $NSSDB -n $alias -a -o cert.pem > > But first of all, which NSSDB directory are you working with? A NSSDB > can contain multiple keys and certificates, and also certificates > without matching private keys. Can you show the content of your NSSDB? > certutil -L -d $NSSDB > certutil -K -d $NSSDB > > flo > > Thanks, > > Azeem > > > > On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 3/19/19 4:18 PM, Azim Siddiqui wrote: > > > Hi Florence, > > > > > > Thanks for the info. I will check for the ipa cert-find command > > and will > > > send you the output. Actually, when I am trying to do $ kinit > > admin it > > > is asking for a password. And I am not sure about the password, > as I > > > said it was set by the previous system admin. > > > > > Hi > > (re-adding freeipa-users in cc) > > > > if you do kinit -kt /etc/krb5.keytab you should also have enough > > permissions to perform ipa cert-find. > > > > > And also I can see there is nssdb directory on the server. Do you > > by any > > > chance know, what is that for? > > There are many nssdb directories on a FreeIPA system. For instance > > /etc/ipa/nssdb is the NSS database used by the ipa * commands. It > > contains the certificates of the trusted certificate authorities. You > > can find more information re. NSS databases in the man page for > > certutil(1). > > > > > > > > If I have the private key on the server, how can I renew the > > certificate > > > signed by IPA. can you please provide me the steps. > > If you have the private key in $NSSDB database you just need to > follow > > the steps provided in my first email > > ( > https://lists.fedorahosted.org/archives/list/[email protected]/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/ > ). > > > > flo > > > > > > thanks & Regards, > > > Azeem > > > > > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > > > Hi Florence, > > > > > > > > Thanks for your reply. > > > > I am referring to the applications. For example, we have > > > > Apache,haproxy,jenkins,git which uses certs signed by IPA. > And > > > now when > > > > I am browsing these applications urls. It is showing, this > > site > > > is not > > > > secured. > > > > And originally, This cert were created by a system admin, > > who is not > > > > working with us now. So its getting hard for me to figure > out, > > > how can I > > > > create or renew the certs. > > > > > > > > And I don't see any files ssl.conf or nss.conf in the > server. > > > > The output for getcert list command shows this :- > > > > getcert list > > > > Number of certificates and requests being tracked: 0. > > > > > > > > > > > > I just want to create a crt and key file signed by IPA. So > > that I > > > can > > > > use it for the browsers. > > > Hi, > > > > > > please keep the users mailing list in cc, so that everyone > > can get > > > involved/see the resolution. > > > > > > It is difficult to provide advice with so few information. > > Can you > > > start > > > by checking which certificates were already issued by > > FreeIPA, and > > > we'll > > > see if they are expired? > > > > > > $ kinit admin > > > $ ipa cert-find > > > > > > With the full output and based on the subject you'll be able > to > > > identify > > > the host or service certs that you are using for your > > applications. For > > > each of these certs, run > > > $ kinit admin > > > $ ipa cert-show <serial number> > > > and the output will show if the cert is expired (check the > > Not After > > > field). > > > > > > For an expired cert, you will be able to renew the cert if > > you still > > > have the private key. The private key location can be found > > by checking > > > the configuration of your applications. > > > For instance apache on rhel or fedora stores its config in > > > /etc/httpd/conf/httpd.conf, which by default loads the > modules in > > > conf.modules.d/*.conf and the config files in conf.d/*.conf. > > > > > > flo > > > > > > > > Thanks, > > > > Azeem > > > > > > > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > > > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote: > > > > > Hi Florence, > > > > > > > > > > Hope you are doing good. I tried the way you said. > But > > > still, it is > > > > > showing certificate is expired. > > > > > > > > > > Let me be more clear about it. > > > > > > > > > > We have apache running with an expired certificate > > which is > > > > signed by > > > > > FreeIPA. Now I want to renew or create a new > > certificate. > > > So can you > > > > > please tell me how can I renew or create a new > > certificate > > > signed by > > > > > Freeipa. > > > > > As whenever I am going to the Apache URL from the > > browser, > > > it is > > > > showing > > > > > site is not secured. > > > > > > > > > > Thanks & Regards, > > > > > Azeem > > > > > > > > > Hi, > > > > > > > > (re-adding freeipa-users in CC). > > > > Can you first confirm that you are referring to a cert > for > > > the apache > > > > server *not running on one of the FreeIPA masters*? > > > > > > > > Then please explain how you originally obtained the > > > certificate. Also > > > > include the following information: > > > > - relevant apache configuration (if using mod_ssl, then > > > > /etc/httpd/conf.d/ssl.conf or if using mod_nss, > > > > /etc/httpd/conf.d/nss.conf). > > > > - output of getcert list on the host running apache > > > > > > > > flo > > > > > > > > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud > > > > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>>> wrote: > > > > > > > > > > On 12/13/18 4:04 PM, Azim Siddiqui via > > FreeIPA-users > > > wrote: > > > > > > Hello, > > > > > > > > > > > > Hope you are doing good. I have a question > > regarding > > > > freeIPA host > > > > > > certificates. > > > > > > We are using FreeIPA as our LDAP. We have > some > > > > certificates for > > > > > hosts ex > > > > > > :- http/uat.com <http://uat.com> > > <http://uat.com> <http://uat.com> > > > <http://uat.com> > > > > <http://uat.com>. > > > > > > And we deploying the certs in Haproxy in PEM > > format. > > > > > > But the certificates for this host has been > > expired. > > > > > > Can you please let me know in detail how to > > renew > > > my expired > > > > > > certificates for the hosts. Please provide > > me the > > > commands > > > > and steps. > > > > > > > > > > > Hi, > > > > > > > > > > from your description I understand that you are > > > referring to > > > > > certificates delivered by IPA CA for one of the > > > IPA-enrolled > > > > hosts, but > > > > > not the master's Server-Cert used for IPA Web > GUI. > > > > > > > > > > In this case, how did you obtain the > > certificate? If > > > you used > > > > a method > > > > > similar to what is described in this wiki [1], > the > > > certificate > > > > > should be > > > > > monitored by certmonger and automatically > renewed. > > > > > > > > > > If you followed instead this wiki [2], the > > certificate > > > is not > > > > > tracked by > > > > > certmonger and needs to be manually renewed. > > You need > > > to do the > > > > > following, assuming that the cert is in a NSS > > database > > > $NSSDB > > > > on the > > > > > IPA > > > > > client: > > > > > - find the key nickname > > > > > # certutil -K -d $NSSDB > > > > > certutil: Checking token "NSS Certificate DB" > > in slot "NSS > > > > User Private > > > > > Key and Certificate Services" > > > > > Enter Password or Pin for "NSS Certificate DB": > > > > > < 0> rsa > > > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > > > Certificate > > > > > DB:Server-Cert > > > > > (note the key nickname for the next command) > > > > > > > > > > - create a new certificate request that will > > re-use the > > > > existing key > > > > > (replace DOMAIN.COM <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > > with your IPA domain, in > > > > > uppercase): > > > > > # certutil -R -d $NSSDB -k "NSS Certificate > > > DB:Server-Cert" -s > > > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM> > > > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr > > > > > Enter Password or Pin for "NSS Certificate DB": > > > > > > > > > > - request a certificate using the new > > certificate request > > > > > # kinit admin > > > > > # ipa cert-request --principal=HTTP/`hostname` > > > /tmp/web.csr > > > > > (the output will display a Serial Number that > > needs to be > > > > noted for the > > > > > next command) > > > > > > > > > > - remove the previous cert from the NSS > database: > > > > > # certutil -D -d $NSSDB -n Server-Cert > > > > > > > > > > - export the certificate to a file, then import > the > > > > certificate in the > > > > > NSS database: > > > > > # ipa cert-show $SERIAL_NUMBER > > --out=/tmp/server.crt > > > > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u > -i > > > > /tmp/server.crt > > > > > > > > > > HTH, > > > > > flo > > > > > > > > > > [1] > > > > > > > > > > > > > > > https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger > > > > > [2] > > > https://www.freeipa.org/page/PKI#Manual_certificate_requests > > > > > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > > > > > Thanks & Regards, > > > > > > Azeem > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > FreeIPA-users mailing list -- > > > > > [email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>>> > > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>>>> > > > > > > To unsubscribe send an email to > > > > > [email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>>> > > > > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>> > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>>>> > > > > > > Fedora Code of Conduct: > > > > https://getfedora.org/code-of-conduct.html > > > > > > List Guidelines: > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > List Archives: > > > > > > > > > > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > > > > > > > > > > > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
