I wrote the following guide for sysadmins at my university in an attempt to coalesce in one place what I consider to be the good practices for X.509 certificate management using OpenSSL. I've included examples on how to load private keys, end-entity certificates and intermediate certificates into alternate trust stores (PKCS for IIS and JKS for Java).
https://confluence.id.ubc.ca:8443/display/ITSecurity/how+to+obtain%2C+deploy+and+verify+an+X.509+certificate Let me know if you have suggestions for improvement. -- Luca Filipozzi, UBC IT Enterprise Architecture On Feb 2, 2016, at 15:43, Christopher Young <mexigaba...@gmail.com<mailto:mexigaba...@gmail.com>> wrote: I've been doing some reading and perhaps I'm confusing myself, but I couldn't find any definitive guide on how to go about doing what I think it a pretty simple thing. My ipa-client installs appear to generate a new TLS/SSL/PKI cert for each host when they are registered. I'd like to utilize that certificate with Apache/tomcat/etc.. I'm aware of how to obtain the certificate itself, however I'm not clear on how to obtain the private key (in a format that I can use as well) that was used to generate the certificate. Would someone kindly point me in the right direction or ideally just educate me on the command/options needed to do this. In particular, I'm looking to create pem files for both the key and cert for use with Apache, but it would be useful to understand how to do it for other stores as well. (Hint: this would be great to just have in a document that makes it clear). :) Thanks again to the freeipa team. I love this product. -- Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project