-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/19/2013 06:57 AM, craig.free...@noboost.org wrote: > Hi, > > I've been using Redhat IPA 2.2 as our internal CA quite successfully > for a while and managing in it from the IPA management website. > > I'm struggling to find precise information about the SSL certs and > management at a CLI level. > > 1) Can I submit SSL CSR via cli? Yes, you could using ipa cert-request command
Example: 1. Add the host for which you are generating request. # ipa host-add webserver1.example.org 2. Create a CSR (i.e private key and certificate request using openssl command) A. Generate private key: [root@test1 certs]# openssl genrsa 1024 > server.key B. Generate CSR: [root@test1 certs]# openssl req -new -key server.key -out server.csr 3. Submit the certificate request: # ipa cert-request /etc/pki/tls/certs/server.csr 4. Get the signed Certificate out using ipa cert-show command Example: [root@test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt > 2) Where are the approved client SSL certs kept in IPA? > They are stored in Directory Server in 2 places 1. Domain Suffix tree dn:fqdn=webserver1.example.org,cn=computers,cn=accounts,dc=example,dc=org 2. CA store in DS. Certificate system of IPA stores certificate in it's ldap store (ou=certificateRepository,ou=ca,o=ipaca) > > cya > > Craig > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > - -- Regards M.R.Niranjan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHozgMACgkQLu3FX2BHx8cE7gCfSWDTA24R0VGSuwpd49RIgXsH 5eAAn3sQS5eXdfNu2kPbo5YueM3gScyt =BCXd -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users