On 21/09/2023 20:30, Rob Crittenden via FreeIPA-users wrote:
I ask because my /root/cacert.p12 and /root/kracert.p12 files also
aren't encrypted with my directory manager password and I am pretty sure
I haven't changed this password since installing any of my current IPA
servers. And when I install a replica I don't remember typing the
directory manager password anywhere...
I can't explain it. Mine is definitely encrypted by the DM password.
I just pulled the cacert.p12 and kracert.p12 files from the backup of my
original ipa server and... my directory manager password is able to
decrypt them!
So it's only my current servers where the file can't be decrypted... how
strange...
Since the tooling for PKCS12 files is a tad awkward to use, here's a
handy command to print out the contents of these files:
# openssl pkcs12 -in /tmp/cacert.p12 -noenc | egrep -v '^[0-9A-Za-z/+]+=*$'
pk12util -l /path/to/cacert.p12 will print all the stored certs and
whether there is a private key included.
Ah that's a much nicer command, thanks.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
