Arthur Faizullin wrote:
Is it
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
about the same?


No, that is for another purpose. That replaces IPA service certs with those from a 3rd party CA (and it doesn't work well at all in 2.2 or 3.0).

I'd recommend certmonger so you can auto-renewing certs, http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/certmongerX.html

Or manually at http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/managing-services.html#request-service-service

rob


В Пт, 19/07/2013 в 10:56 +0530, M.R Niranjan пишет:
On 07/19/2013 06:57 AM, craig.free...@noboost.org wrote:
Hi,

I've been using Redhat IPA 2.2 as our internal CA quite successfully
for a while and managing in it from the IPA management website.

I'm struggling to find precise information about the SSL certs and
management at a CLI level.

1) Can I submit SSL CSR via cli?
Yes, you could using ipa cert-request command

Example:

1. Add the host for which you are generating request.

# ipa host-add webserver1.example.org

2. Create a CSR (i.e private key and certificate request using openssl
command)

        A. Generate private key:

        [root@test1 certs]# openssl genrsa 1024 > server.key

        B. Generate CSR:

        [root@test1 certs]#  openssl req -new -key server.key -out server.csr

3. Submit the certificate request:

# ipa cert-request /etc/pki/tls/certs/server.csr

4. Get the signed Certificate out using ipa cert-show command

Example:
[root@test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt

2) Where are the approved client SSL certs kept in IPA?


They are stored in Directory Server in 2 places

1. Domain Suffix tree
dn:fqdn=webserver1.example.org,cn=computers,cn=accounts,dc=example,dc=org

2. CA store in DS. Certificate system of IPA stores certificate in it's
ldap store (ou=certificateRepository,ou=ca,o=ipaca)



cya

Craig

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to