On 07/22/2013 05:41 AM, Justin Brown wrote:

I'm having some trouble understanding certificates in general and
service certificates in FreeIPA.

Keystone if the authentication layer for OpenStack, and I'm trying to
get it setup to integrate with the certificates in my FreeIPA domain.

By default, Keystone setups up a self-signed CA based on settings an

I would like to use a FreeIPA service certificate to sign tokens for

I have Keystone at keystone.cloud.fandingo.org
<http://keystone.cloud.fandingo.org> and install with the FreeIPA client.

I setup a service, HTTP/keystone.cloud.fandingo.org
<http://keystone.cloud.fandingo.org>. Then, I create a CSR and private
key using OpenSSL. Lastly, I copy  the CSR into FreeIPA and generate the

  I just need to get the signed certificate out of FreeIPA in some way.
However, I can't for the life of me figure out what format the
certificate is. It's not PEM or any of the PKCS versions that I'm
familiar with because there are no header or footer lines. It doesn't
appear to be DER because OpenSSL refuses to process it as such.

What command did you use to display the certificate?
IPA stores certificates in DER form, and the tools (ipa service-show, ipa cert-show, ldapsearch, etc.) display that in base64-encoded form.

You can use `ipa service-show HTTP/keystone.cloud.fandingo.org --out servicecert.pem` to write the cert to file servicecert.pem.

(Alternatively, you can take the data cert-show displays and either use `base64 -d` command to convert to binary DER, or add the PEM header and footer to get PEM.)


Freeipa-users mailing list

Reply via email to