On 02/03/2016 12:42 AM, Christopher Young wrote:
> I've been doing some reading and perhaps I'm confusing myself, but I
> couldn't find any definitive guide on how to go about doing what I
> think it a pretty simple thing.
> 
> My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
> each host when they are registered.  I'd like to utilize that
> certificate with Apache/tomcat/etc..  I'm aware of how to obtain the
> certificate itself, however I'm not clear on how to obtain the private
> key (in a format that I can use as well) that was used to generate the
> certificate.
> 
> Would someone kindly point me in the right direction or ideally just
> educate me on the command/options needed to do this.  In particular,
> I'm looking to create pem files for both the key and cert for use with
> Apache, but it would be useful to understand how to do it for other
> stores as well.  (Hint: this would be great to just have in a document
> that makes it clear). :)

Hi Chris,

I do not think it is a good idea to do what you are doing :-) The host
certificate does not need to be the same as Web certificate. From FreeIPA 4.1
(IIRC), it is not even requested by default on all clients.

I would rather recommend generating a separate certificate for the Web UI, we
have some walkthrough here:

http://www.freeipa.org/page/PKI#Requesting_a_new_certificate

> Thanks again to the freeipa team.  I love this product.

And I love to hear notes from the community like this, very rewarding!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to