Thanks. That's good advice and good to know. I'm going to be trying to work this into an Ansible role, so having a command listing helps alot.
That leads to a curious question if anyone has thought about building an Ansible module(s) for manipulating FreeIPA objects. I'm going to do some searching for that. On Wed, Feb 3, 2016 at 3:12 AM, Martin Kosek <mko...@redhat.com> wrote: > On 02/03/2016 12:42 AM, Christopher Young wrote: >> I've been doing some reading and perhaps I'm confusing myself, but I >> couldn't find any definitive guide on how to go about doing what I >> think it a pretty simple thing. >> >> My ipa-client installs appear to generate a new TLS/SSL/PKI cert for >> each host when they are registered. I'd like to utilize that >> certificate with Apache/tomcat/etc.. I'm aware of how to obtain the >> certificate itself, however I'm not clear on how to obtain the private >> key (in a format that I can use as well) that was used to generate the >> certificate. >> >> Would someone kindly point me in the right direction or ideally just >> educate me on the command/options needed to do this. In particular, >> I'm looking to create pem files for both the key and cert for use with >> Apache, but it would be useful to understand how to do it for other >> stores as well. (Hint: this would be great to just have in a document >> that makes it clear). :) > > Hi Chris, > > I do not think it is a good idea to do what you are doing :-) The host > certificate does not need to be the same as Web certificate. From FreeIPA 4.1 > (IIRC), it is not even requested by default on all clients. > > I would rather recommend generating a separate certificate for the Web UI, we > have some walkthrough here: > > http://www.freeipa.org/page/PKI#Requesting_a_new_certificate > >> Thanks again to the freeipa team. I love this product. > > And I love to hear notes from the community like this, very rewarding! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project