Arthur Faizullin wrote:
Is it
about the same?

No, that is for another purpose. That replaces IPA service certs with those from a 3rd party CA (and it doesn't work well at all in 2.2 or 3.0).

I'd recommend certmonger so you can auto-renewing certs,

Or manually at


В Пт, 19/07/2013 в 10:56 +0530, M.R Niranjan пишет:
On 07/19/2013 06:57 AM, wrote:

I've been using Redhat IPA 2.2 as our internal CA quite successfully
for a while and managing in it from the IPA management website.

I'm struggling to find precise information about the SSL certs and
management at a CLI level.

1) Can I submit SSL CSR via cli?
Yes, you could using ipa cert-request command


1. Add the host for which you are generating request.

# ipa host-add

2. Create a CSR (i.e private key and certificate request using openssl

        A. Generate private key:

        [root@test1 certs]# openssl genrsa 1024 > server.key

        B. Generate CSR:

        [root@test1 certs]#  openssl req -new -key server.key -out server.csr

3. Submit the certificate request:

# ipa cert-request /etc/pki/tls/certs/server.csr

4. Get the signed Certificate out using ipa cert-show command

[root@test1 certs]# ipa cert-show 12 --out=/etc/pki/tls/certs/server.crt

2) Where are the approved client SSL certs kept in IPA?

They are stored in Directory Server in 2 places

1. Domain Suffix tree,cn=computers,cn=accounts,dc=example,dc=org

2. CA store in DS. Certificate system of IPA stores certificate in it's
ldap store (ou=certificateRepository,ou=ca,o=ipaca)



Freeipa-users mailing list

Freeipa-users mailing list

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to