Jernej Jakob via FreeIPA-users wrote: > On Wed, 26 Jul 2023 11:10:23 +0000 > Carlos Lopez via FreeIPA-users <[email protected]> > wrote: > >> Hi all, >> >> Sorry to disturb but I can not find which is the correct procedure to >> accomplish this. I have created a certificate in WebUI and I can export >> certificate in pem format, which it is what I need. But I need the private >> key also. This certificate is for a host outside of Kerberos and LDAP's >> FreeIPA domain. >> >> How can I export pem cert and key file? >> >> Regards, >> C. L. Martinez >> > > While I don't know the answer to your question, I can say that the > private key should not leave the server (machine, service, user,...) > which uses it. The standard procedure for PKI is to generate a private > key on the machine, generate a CSR, send the CSR to the CA to get > signed (which issues the certificate), then install the certificate > back on the machine. If the machine is enrolled into FreeIPA you can do > this with certmonger. If not, you can probably still get FreeIPA to > sign your CSR.
This is correct. The private key (CSR) is generated on the requestors machine and submitted to the IPA CA by the user. IPA only has the public key (certificate). As mentioned, there are a couple of ways to submit requests. One can do it using the CLI using cert-request, or the WebUI which leverages the same call or have certmoner do it. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
