Thanks.  That's good advice and good to know.  I'm going to be trying
to work this into an Ansible role, so having a command listing helps

That leads to a curious question if anyone has thought about building
an Ansible module(s) for manipulating FreeIPA objects.  I'm going to
do some searching for that.

On Wed, Feb 3, 2016 at 3:12 AM, Martin Kosek <> wrote:
> On 02/03/2016 12:42 AM, Christopher Young wrote:
>> I've been doing some reading and perhaps I'm confusing myself, but I
>> couldn't find any definitive guide on how to go about doing what I
>> think it a pretty simple thing.
>> My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
>> each host when they are registered.  I'd like to utilize that
>> certificate with Apache/tomcat/etc..  I'm aware of how to obtain the
>> certificate itself, however I'm not clear on how to obtain the private
>> key (in a format that I can use as well) that was used to generate the
>> certificate.
>> Would someone kindly point me in the right direction or ideally just
>> educate me on the command/options needed to do this.  In particular,
>> I'm looking to create pem files for both the key and cert for use with
>> Apache, but it would be useful to understand how to do it for other
>> stores as well.  (Hint: this would be great to just have in a document
>> that makes it clear). :)
> Hi Chris,
> I do not think it is a good idea to do what you are doing :-) The host
> certificate does not need to be the same as Web certificate. From FreeIPA 4.1
> (IIRC), it is not even requested by default on all clients.
> I would rather recommend generating a separate certificate for the Web UI, we
> have some walkthrough here:
>> Thanks again to the freeipa team.  I love this product.
> And I love to hear notes from the community like this, very rewarding!

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to