Hi, On Tue, Oct 17, 2023 at 8:20 PM HUANG, TONY via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hi Rob, > > The CSR is generated within the web UI by following this section "Web UI: > Requesting new certificates" ( > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/certificates > ) > > If you followed this guide, the procedure involves certutil and a NSS database: [image: image.png] This means that your private key is stored in the NSS database in <database path>. In order to extract the key, you need first to add the cert to the NSS database with certutil -A -d <database path> -n <nickname> -t u,u,u -i <certificate.crt> Then create a p12 file containing cert + pem: pk12util -d <database path> -n <nickname> -o file.p12 And finally extract key from the p12 file: openssl pkcs12 -in file.p12 -nocerts -out privateKey.pem HTH, flo I am looking to perform an authenticated ldapsearch using certificate-based > authentication so I don't have to pass username and password onto the > command line when searching against cn=groups,cn=accounts. Looks like only > authenticated ldapsearch will yield memberOf info (usernames that belong to > the group), but an anonymous ldapsearch will only yield group container > info without memberOf UIDs. > > This document ( > https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/securing_red_hat_directory_server/assembly_configuring-certificate-based-authentication_securing-rhds > ) says we need to have .ldaprc which include user's private key, therefore > my original question. > > LDAPTLS_CACERT=/home/user_name/CA.crt > LDAPTLS_KEY=/home/user_name/user.key > LDAPTLS_CERT=/home/user_name/user.der > > Will my certificate-based ldapsearch work without user.key defined? > > so far I haven't been able to perform the ldapsearch because I am getting: > > ldap_start_tls: Can't contact LDAP server (-1) additional info: > error:1416F086:SSL routines:tls_process_server_certificate:certificate > verify failed (self signed certificate in certificate chain). > > Any pointers will be greatly appreciated! > > > --Tony > > > On Tue, Oct 17, 2023 at 4:58 AM Rob Crittenden <rcrit...@redhat.com> > wrote: > >> HUANG, TONY via FreeIPA-users wrote: >> > Hi, >> > >> > I am trying to achieve user authentication against IdM using user's >> > certificate. User certificate is requested to the built-in CA within IdM >> > and signed by it. >> > >> > I am able to download the user's public cert via the web UI, but how can >> > I download the private key so I can define it in user's .ldaprc file? >> >> IPA never has access to a user's private key. A key is generated by a >> user (e.g. openssl genrsa) and a CSR (Certificate Signing Request) using >> that (openssl req). So the user should already possess the private key. >> >> This is assuming the user used openssl to generate the key. With NSS the >> private key would in whatever database was used to create the CSR. >> >> rob >> >> _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue