Re: [Freeipa-users] vaults and service accounts

Mon, 25 Jul 2016 07:41:02 -0700 


On 25.07.2016 16:22, Anthony Clark wrote:

I wondered about that, but the docs specifically say public key, and 
the command line option to "ipa vault-add" is "--public-key"


From "ipa vault-add --help"

  --public-key=BYTES    Vault public key
  --public-key-file=STR   File containing the vault public key

So I hope you can understand my confusion ;)


Can anyone else speak to whether the newer versions of the vault code 
is any different?


Thank you, Martin!


Yeah sorry, I meant public key, private key is used for decipher.

My point was just not to use certificate.

Martin




On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti <mba...@redhat.com 
<mailto:mba...@redhat.com>> wrote:




    On 24.07.2016 16:33, Anthony Clark wrote:

    Hello All,

    I have a crazy notion of storing a host's SSH private keys in a
    ipa vault, so that a rebuilt host can use the same keys.

    I'm on CentOS 7.2 and I'm using the RPMs available in the
    standard centos base repository, so I'm constrained to version
    1.0 vaults.  I'm using this page:
    
http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance

    I'm trying these following steps but running into trouble:

    ipa service-add ssh/test01.dev.redacted.net
    <http://test01.dev.redacted.net>

    certutil -N -d testcertdb

    certutil -R -d testcertdb -a -g 2048 -s
    'CN=test01.dev.redacted.net
    <http://test01.dev.redacted.net>,O=DEV.REDACTED.NET
    <http://DEV.REDACTED.NET>'
    <paste that csr into the ipa web gui>

    ipa-getcert request -r -f testsshd01-cert.pem -k
    testsshd01-key.pem -K
    ssh/test01.dev.redacted....@dev.redacted.net
    <mailto:test01.dev.redacted....@dev.redacted.net>

    ipa vault-add testsshd02 --service
    ssh/test01.dev.redacted....@dev.redacted.net
    <mailto:test01.dev.redacted....@dev.redacted.net> --type
    asymmetric --public-key-file testsshd01-cert.pem

    the last command gives me "ipa: ERROR: invalid
    'ipavaultpublickey': Invalid or unsupported vault public key:
    Could not unserialize key data."

    Is there a preferred way to create a public key for asymmetric
    encryption for a service vault?

    Thanks,

    Anthony Clark




    Hello,
    I suspect you should use just private key, not certificate

    https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL

    Regards,
    Martin





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to