On Fri, Apr 27, 2012 at 02:52:20PM -0400, Dmitri Pal wrote:
> I thought that there was a flag for ipa-getkeytab to fetch existing key
> but my knowledge in this area is rusty. Same with the cert.
> May be someone else would chime in.
There's a way for certificates, at least.
If you still have the matching private key on the host (unless I'm
mistaken, we don't have optional escrow yet, so if you don't have the
private key, you're out of luck, and there's no point in bothering with
any of this), you should be able to dig up the corresponding
Since the regular IPA machinery already knows how to pull up a
certificate if you know its serial number, we just need to figure out
the serial number. On the server, we search Dogtag's directory server
instance by running:
ldapsearch -h localhost:7389 -x -D "cn=Directory Manager" -W \
-b ou=certificateRepository,ou=ca,o=ipaca \
subjectname="cn=$FQDN",o=$DOMAIN cn serialno
We'll need to supply the directory server administrator password. We'll
get back the "cn" and "serialno" values for any matching entries. The
"cn" values appear to be the serial numbers. If multiple certificates
were issued to the host, we'll get more than one serial number back. We
can pass any of them to "ipa cert-show" to retrieve the certificate with
that was issued with that serial number.
The "Certificate:" value is base64 without a header or footer, but we
can pipe the whole value through OpenSSL's utility to both make sure we
have the whole thing, and clean it up in the process. Run this command,
and copy/paste the value into it:
openssl base64 -d | openssl x509 -inform der
The result can be stored in the relevant file for use with OpenSSL, or
imported into the relevant database for use with NSS.
Like Stephen noted about keytabs, though, there should be no harm in
just issuing a new certificate for the host in question. Certificates
are always issued with limited validity periods, so anything that breaks
when if/when a certificate is replaced needs to be fixed anyway.
Freeipa-users mailing list