lejeczek wrote:
hi users,

as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ?
I understand certificates issued with:

$ ipa cert-re­quest -add --prin­ci­pal

are stored in ldap backend, (yet I don't quite get the difference
between that tool and ipa-certget).

The first uses the IPA command-line to get a cert directly. ipa-getcert uses certmonger.

If you are getting a certificate for another host, particularly if that host isn't an IPA client, then the first form is the way to go.

How do I get such a certificate off the server and to a host-not-server?

$ ipa cert-show <serial#> --out cert.pem

In my case I'm hoping to use this certificate in apache+nss.
I realize I also will need CA certificate on that host, which I got hold
of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the
right way?

So in this case you'd want to generate the CSR on the host-not-server using certutil. You'd take that CSR to the enrolled host and run ipa cert-request ...

Get a copy of the cert and get that and /etc/ipa/ca.crt to the host-not-server.

Use certutil to add both to your NSS database.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to