On 07/22/2013 05:41 AM, Justin Brown wrote:
Hi,
I'm having some trouble understanding certificates in general and
service certificates in FreeIPA.
Keystone if the authentication layer for OpenStack, and I'm trying to
get it setup to integrate with the certificates in my FreeIPA domain.
By default, Keystone setups up a self-signed CA based on settings an
openssl.conf.
I would like to use a FreeIPA service certificate to sign tokens for
Keystone.
I have Keystone at keystone.cloud.fandingo.org
<http://keystone.cloud.fandingo.org> and install with the FreeIPA client.
I setup a service, HTTP/keystone.cloud.fandingo.org
<http://keystone.cloud.fandingo.org>. Then, I create a CSR and private
key using OpenSSL. Lastly, I copy the CSR into FreeIPA and generate the
certificate.
I just need to get the signed certificate out of FreeIPA in some way.
However, I can't for the life of me figure out what format the
certificate is. It's not PEM or any of the PKCS versions that I'm
familiar with because there are no header or footer lines. It doesn't
appear to be DER because OpenSSL refuses to process it as such.
Hello,
What command did you use to display the certificate?
IPA stores certificates in DER form, and the tools (ipa service-show,
ipa cert-show, ldapsearch, etc.) display that in base64-encoded form.
You can use `ipa service-show HTTP/keystone.cloud.fandingo.org --out
servicecert.pem` to write the cert to file servicecert.pem.
(Alternatively, you can take the data cert-show displays and either use
`base64 -d` command to convert to binary DER, or add the PEM header and
footer to get PEM.)
--
PetrĀ³
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
