Stephen Ingram wrote:
On Wed, Nov 30, 2011 at 12:59 PM, Rob Crittenden<>  wrote:

The only part assuming that is ipa-join itself. IPA does not support the
direct use of kadmin or kadmin.local. On a supported platform you'd run:

# ipa-getkeytab -s -k /tmp/remote.keytab -p

Then ship /tmp/remote.keytab to the machine and either use ktutil to combine
it with /etc/krb5.keytab or replace krb5.keytab with it (and fix owner and
permissions, and potentially SELinux context).

OK, got it. I can use the FreeIPA system itself to grab these for host
and services and then new remote machine will have all principals it
requires to work within FreeIPA realm.


certmonger gets its IPA configuration from /etc/ipa/default.conf. If you
don't want or have certmonger then you can skip the CA bit altogether.
Otherwise you'll need to copy in a working config.

OK, this requires certmonger. If I still want FreeIPA-signed cert (say
I need to talk SSL to FreeIPA directory for mail server config
purposes e.g. check existence of email address) without certmonger, I
can use certmonger on FreeIPA server or UI to sign csr generated using
nss on remote system and then transport cert to remote system and
manually install for apache, ldap client, etc., right?

You don't need certmonger to have SSL certs, it just makes it easier to request and manage them (because of the auto-renewal features).

To do it manually just do something like this to get a cert for a web server. IPA server here is really any machine with admintools package installed.

remote system:
generate CSR using openssl or certutil, save as PEM file, ship to IPA host.

With NSS I do:

certutil -R -s ",O=EXAMPLE.COM" -d /path/to/database/dir -a > example.csr

Be sure that the CN value is the FQDN of your server.

IPA server:
# ipa cert-request --prinicipal HTTP/ /path/to/csr.pem
# ipa service-show --out=/tmp/service.crt HTTP/

Your cert will be in /tmp/service.crt and PEM formatted for easy use. The output of cert-request is just a base64 blob.

I'm not trying to supplant FreeIPA here. Obviously the best (and
almost effortless) solution is to have freeipa-client and certmonger
on system, however, if I'm stuck with an older version of Redhat or
some other OS that just doesn't conveniently support FreeIPA, I just
want to be able to get a cert and necessary principals to be able to
easily work within FreeIPA realm. I also sort of like to know how
everything works in more detail just in case something breaks and I
have to make manual adjustments.

This may be handy to augment the IPA documentation too if you want to donate back your findings :-)



Freeipa-users mailing list

Reply via email to