Hi, if you used the WebUI to generate a cert, you had to type a few commands in a terminal, like: certutil -N -d <database path> certutil -R -d <database path> -a -g <key size> -s 'CN=employee,O= DEMO1.FREEIPA.ORG'
This means that you generated a key in the NSS database. When you used the WebUI to issue the cert, the new cert was added to the entry. You can retrieve it from the WebUI with the Actions > Download button, and you will obtain a pem file that you can load in the NSS database with certutil -d <database path> -A -n <nickname> -t u,u,u Then use pk12util to generate a p12 file containing the cert and the key: pk12util -o outputfile.p12 -d <database path> -n <nickname> Warning, the file contains the private key and the certificate and should be protected. HTH, flo On Wed, Jul 26, 2023 at 1:50 PM Jernej Jakob via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Wed, 26 Jul 2023 11:10:23 +0000 > Carlos Lopez via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > wrote: > > > Hi all, > > > > Sorry to disturb but I can not find which is the correct procedure to > accomplish this. I have created a certificate in WebUI and I can export > certificate in pem format, which it is what I need. But I need the private > key also. This certificate is for a host outside of Kerberos and LDAP's > FreeIPA domain. > > > > How can I export pem cert and key file? > > > > Regards, > > C. L. Martinez > > > > While I don't know the answer to your question, I can say that the > private key should not leave the server (machine, service, user,...) > which uses it. The standard procedure for PKI is to generate a private > key on the machine, generate a CSR, send the CSR to the CA to get > signed (which issues the certificate), then install the certificate > back on the machine. If the machine is enrolled into FreeIPA you can do > this with certmonger. If not, you can probably still get FreeIPA to > sign your CSR. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue