On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: > lejeczek wrote: > > hi users, > > > > as one follows official docs and issues a certificate for a > > service/host, one wonders what is the correct way to move such a > > certificate to a host(which is domain member) ? > > I understand certificates issued with: > > > > $ ipa cert-request -add --principal > > > > are stored in ldap backend, (yet I don't quite get the difference > > between that tool and ipa-certget). > > The first uses the IPA command-line to get a cert directly. ipa- > getcert > uses certmonger. > > If you are getting a certificate for another host, particularly if > that > host isn't an IPA client, then the first form is the way to go. > > > How do I get such a certificate off the server and to a host-not- > > server? > > $ ipa cert-show <serial#> --out cert.pem > > > In my case I'm hoping to use this certificate in apache+nss. > > I realize I also will need CA certificate on that host, which I got > > hold > > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's > > the > > right way? > > So in this case you'd want to generate the CSR on the host-not- > server > using certutil. You'd take that CSR to the enrolled host and run ipa > cert-request ... > > Get a copy of the cert and get that and /etc/ipa/ca.crt to the Is this the only place where IPA' CA cert resides? I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN $ certutil -d /etc/dirsrv/slapd-MY.. gets me: MY-DOMAIN IPA CA CT,C,C Server-Cert u,u,u what is that IPA CA then? I also see the same with: $ certutil -d /etc/httpd/alias -L Is this the same one certificate? (including /etc/ipa/ca.crt) I get these with: ipa-getcert list I'm guessing these are set up by installer and to be managed by certmonger, for DS and web server for certificates auto management purposes? many thanks. > host-not-server. > > Use certutil to add both to your NSS database. > > rob > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project