[Freeipa-users] Re: Retrieve private key from CA chain

2019-10-22 Thread Rob Crittenden via FreeIPA-users
Sam Klein via FreeIPA-users wrote:
> Hi Rob,
> 
>> Need more context on what you're trying to do.
> 
> I hope to use a key to identify each endpoint for a Cisco Identity Services 
> Engine.
> 
> To do so, I need a private key.
> 
> My hope was that IdM could automate this for me with a CA chain.
> 
> Does this context help?

So you need to generate certificate for the Cisco server.

You need to generate your own private key and a CSR from that and submit
it to IPA to issue the certificate.

A certificate in IPA must be associated with an entry (host or service).
So you'll need to create a host or service for the Cisco device and
request the certificate against that host/service.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


[Freeipa-users] Re: Retrieve private key from CA chain

2019-10-21 Thread Sam Klein via FreeIPA-users
Hi Rob,

> Need more context on what you're trying to do.

I hope to use a key to identify each endpoint for a Cisco Identity Services 
Engine.

To do so, I need a private key.

My hope was that IdM could automate this for me with a CA chain.

Does this context help?

Sam
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


[Freeipa-users] Re: Retrieve private key from CA chain

2019-10-21 Thread Rob Crittenden via FreeIPA-users
Sam Klein via FreeIPA-users wrote:
> Using certutil, I'm able to extract my localhost CA using this command.
> 
> certutils -L -d dbm:/etc/ipa/nssdb -a -n 'Local IPA host'
> 
> However, I need a signing key to create a private key. Is there a method to 
> extract a private key that signed my localhost CA from the endpoint, or does 
> this key exist on my server?

Need more context on what you're trying to do. You shouldn't need direct
access to the CA private key.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org