On 24.07.2016 16:33, Anthony Clark wrote:
Hello All,
I have a crazy notion of storing a host's SSH private keys in a ipa
vault, so that a rebuilt host can use the same keys.
I'm on CentOS 7.2 and I'm using the RPMs available in the standard
centos base repository, so I'm constrained to version 1.0 vaults. I'm
using this page:
http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance
I'm trying these following steps but running into trouble:
ipa service-add ssh/test01.dev.redacted.net
<http://test01.dev.redacted.net>
certutil -N -d testcertdb
certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net
<http://test01.dev.redacted.net>,O=DEV.REDACTED.NET
<http://DEV.REDACTED.NET>'
<paste that csr into the ipa web gui>
ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K
ssh/test01.dev.redacted....@dev.redacted.net
<mailto:test01.dev.redacted....@dev.redacted.net>
ipa vault-add testsshd02 --service
ssh/test01.dev.redacted....@dev.redacted.net
<mailto:test01.dev.redacted....@dev.redacted.net> --type asymmetric
--public-key-file testsshd01-cert.pem
the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey':
Invalid or unsupported vault public key: Could not unserialize key data."
Is there a preferred way to create a public key for asymmetric
encryption for a service vault?
Thanks,
Anthony Clark
Hello,
I suspect you should use just private key, not certificate
https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL
Regards,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
