lejeczek wrote:
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
lejeczek wrote:
hi users, as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ? I understand
certificates issued with: $ ipa cert-re­quest -add --prin­ci­pal are
stored in ldap backend, (yet I don't quite get the difference between
that tool and ipa-certget).

The first uses the IPA command-line to get a cert directly. ipa-getcert
uses certmonger.

If you are getting a certificate for another host, particularly if that
host isn't an IPA client, then the first form is the way to go.

How do I get such a certificate off the server and to a host-not-server?

$ ipa cert-show <serial#> --out cert.pem

In my case I'm hoping to use this certificate in apache+nss. I
realize I also will need CA certificate on that host, which I got
hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if
it's the right way?

So in this case you'd want to generate the CSR on the host-not-server
using certutil. You'd take that CSR to the enrolled host and run ipa
cert-request ...

Get a copy of the cert and get that and /etc/ipa/ca.crt to the
Is this the only place where IPA' CA cert resides?
I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
$ certutil -d /etc/dirsrv/slapd-MY..
gets me:


what is that IPA CA then?
I also see the same with:
$ certutil -d /etc/httpd/alias -L
Is this the same one certificate? (including /etc/ipa/ca.crt)

Yes, these are all (or should be) the same (there is a copy in LDAP too).

I get these with: ipa-getcert list
I'm guessing these are set up by installer and to be managed by
certmonger, for DS and web server for certificates auto management purposes?

Yes, certmonger manages automatic renewal.


many thanks.


Use certutil to add both to your NSS database.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to