Re: [Freeipa-users] Obtaining certificate private keys for Apache/etc.

2016-02-04 Thread Rob Crittenden 

Christopher Young wrote:

Thanks.  That's good advice and good to know.  I'm going to be trying
to work this into an Ansible role, so having a command listing helps
alot.

That leads to a curious question if anyone has thought about building
an Ansible module(s) for manipulating FreeIPA objects.  I'm going to
do some searching for that.


To close the loop, the dfault cert in IPA clients is stored in an NSS 
database and NSS doesn't give up its private keys willingly. The only 
way to get them is to export to a PKCS#12 file using pk12util then 
extract them using openssl pkcs12.


rob



On Wed, Feb 3, 2016 at 3:12 AM, Martin Kosek  wrote:

On 02/03/2016 12:42 AM, Christopher Young wrote:

I've been doing some reading and perhaps I'm confusing myself, but I
couldn't find any definitive guide on how to go about doing what I
think it a pretty simple thing.

My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
each host when they are registered.  I'd like to utilize that
certificate with Apache/tomcat/etc..  I'm aware of how to obtain the
certificate itself, however I'm not clear on how to obtain the private
key (in a format that I can use as well) that was used to generate the
certificate.

Would someone kindly point me in the right direction or ideally just
educate me on the command/options needed to do this.  In particular,
I'm looking to create pem files for both the key and cert for use with
Apache, but it would be useful to understand how to do it for other
stores as well.  (Hint: this would be great to just have in a document
that makes it clear). :)


Hi Chris,

I do not think it is a good idea to do what you are doing :-) The host
certificate does not need to be the same as Web certificate. From FreeIPA 4.1
(IIRC), it is not even requested by default on all clients.

I would rather recommend generating a separate certificate for the Web UI, we
have some walkthrough here:

http://www.freeipa.org/page/PKI#Requesting_a_new_certificate


Thanks again to the freeipa team.  I love this product.


And I love to hear notes from the community like this, very rewarding!




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Obtaining certificate private keys for Apache/etc.

2016-02-03 Thread Martin Kosek 
On 02/03/2016 12:42 AM, Christopher Young wrote:
> I've been doing some reading and perhaps I'm confusing myself, but I
> couldn't find any definitive guide on how to go about doing what I
> think it a pretty simple thing.
> 
> My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
> each host when they are registered.  I'd like to utilize that
> certificate with Apache/tomcat/etc..  I'm aware of how to obtain the
> certificate itself, however I'm not clear on how to obtain the private
> key (in a format that I can use as well) that was used to generate the
> certificate.
> 
> Would someone kindly point me in the right direction or ideally just
> educate me on the command/options needed to do this.  In particular,
> I'm looking to create pem files for both the key and cert for use with
> Apache, but it would be useful to understand how to do it for other
> stores as well.  (Hint: this would be great to just have in a document
> that makes it clear). :)

Hi Chris,

I do not think it is a good idea to do what you are doing :-) The host
certificate does not need to be the same as Web certificate. From FreeIPA 4.1
(IIRC), it is not even requested by default on all clients.

I would rather recommend generating a separate certificate for the Web UI, we
have some walkthrough here:

http://www.freeipa.org/page/PKI#Requesting_a_new_certificate

> Thanks again to the freeipa team.  I love this product.

And I love to hear notes from the community like this, very rewarding!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Obtaining certificate private keys for Apache/etc.

2016-02-03 Thread Christopher Young 
Thanks.  That's good advice and good to know.  I'm going to be trying
to work this into an Ansible role, so having a command listing helps
alot.

That leads to a curious question if anyone has thought about building
an Ansible module(s) for manipulating FreeIPA objects.  I'm going to
do some searching for that.

On Wed, Feb 3, 2016 at 3:12 AM, Martin Kosek  wrote:
> On 02/03/2016 12:42 AM, Christopher Young wrote:
>> I've been doing some reading and perhaps I'm confusing myself, but I
>> couldn't find any definitive guide on how to go about doing what I
>> think it a pretty simple thing.
>>
>> My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
>> each host when they are registered.  I'd like to utilize that
>> certificate with Apache/tomcat/etc..  I'm aware of how to obtain the
>> certificate itself, however I'm not clear on how to obtain the private
>> key (in a format that I can use as well) that was used to generate the
>> certificate.
>>
>> Would someone kindly point me in the right direction or ideally just
>> educate me on the command/options needed to do this.  In particular,
>> I'm looking to create pem files for both the key and cert for use with
>> Apache, but it would be useful to understand how to do it for other
>> stores as well.  (Hint: this would be great to just have in a document
>> that makes it clear). :)
>
> Hi Chris,
>
> I do not think it is a good idea to do what you are doing :-) The host
> certificate does not need to be the same as Web certificate. From FreeIPA 4.1
> (IIRC), it is not even requested by default on all clients.
>
> I would rather recommend generating a separate certificate for the Web UI, we
> have some walkthrough here:
>
> http://www.freeipa.org/page/PKI#Requesting_a_new_certificate
>
>> Thanks again to the freeipa team.  I love this product.
>
> And I love to hear notes from the community like this, very rewarding!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Obtaining certificate private keys for Apache/etc.

2016-02-02 Thread Christopher Young 
I've been doing some reading and perhaps I'm confusing myself, but I
couldn't find any definitive guide on how to go about doing what I
think it a pretty simple thing.

My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
each host when they are registered.  I'd like to utilize that
certificate with Apache/tomcat/etc..  I'm aware of how to obtain the
certificate itself, however I'm not clear on how to obtain the private
key (in a format that I can use as well) that was used to generate the
certificate.

Would someone kindly point me in the right direction or ideally just
educate me on the command/options needed to do this.  In particular,
I'm looking to create pem files for both the key and cert for use with
Apache, but it would be useful to understand how to do it for other
stores as well.  (Hint: this would be great to just have in a document
that makes it clear). :)

Thanks again to the freeipa team.  I love this product.

-- Chris

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Obtaining certificate private keys for Apache/etc.

2016-02-02 Thread Filipozzi, Luca 
I wrote the following guide for sysadmins at my university in an attempt to 
coalesce in one place what I consider to be the good practices for X.509 
certificate management using OpenSSL.  I've included examples on how to load 
private keys, end-entity certificates and intermediate certificates into 
alternate trust stores (PKCS for IIS and JKS for Java).

https://confluence.id.ubc.ca:8443/display/ITSecurity/how+to+obtain%2C+deploy+and+verify+an+X.509+certificate

Let me know if you have suggestions for improvement.

--
Luca Filipozzi, UBC IT Enterprise Architecture

On Feb 2, 2016, at 15:43, Christopher Young 
> wrote:

I've been doing some reading and perhaps I'm confusing myself, but I
couldn't find any definitive guide on how to go about doing what I
think it a pretty simple thing.

My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
each host when they are registered.  I'd like to utilize that
certificate with Apache/tomcat/etc..  I'm aware of how to obtain the
certificate itself, however I'm not clear on how to obtain the private
key (in a format that I can use as well) that was used to generate the
certificate.

Would someone kindly point me in the right direction or ideally just
educate me on the command/options needed to do this.  In particular,
I'm looking to create pem files for both the key and cert for use with
Apache, but it would be useful to understand how to do it for other
stores as well.  (Hint: this would be great to just have in a document
that makes it clear). :)

Thanks again to the freeipa team.  I love this product.

-- Chris

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Obtaining certificate private keys for Apache/etc.

2016-02-02 Thread Christopher Young 
That looks more like a regular SSL/TLS guide.  I was asking about
interacting with FreeIPA (likely via certmonger, I think)
specifically.  If anyone has details on obtaining the default system
cert (and especially the private key) and exporting/converting to
PEMs, I'd greatly appreciate.

I will try and look over your guide regardless soon and provide some
feedback.  At the moment, I'm confused about where the private keys
used to generate the default host PKI certs are stored and how to
extract them.

On Tue, Feb 2, 2016 at 6:50 PM, Filipozzi, Luca  wrote:
> I wrote the following guide for sysadmins at my university in an attempt to
> coalesce in one place what I consider to be the good practices for X.509
> certificate management using OpenSSL.  I've included examples on how to load
> private keys, end-entity certificates and intermediate certificates into
> alternate trust stores (PKCS for IIS and JKS for Java).
>
> https://confluence.id.ubc.ca:8443/display/ITSecurity/how+to+obtain%2C+deploy+and+verify+an+X.509+certificate
>
> Let me know if you have suggestions for improvement.
>
> --
> Luca Filipozzi, UBC IT Enterprise Architecture
>
> On Feb 2, 2016, at 15:43, Christopher Young  wrote:
>
> I've been doing some reading and perhaps I'm confusing myself, but I
> couldn't find any definitive guide on how to go about doing what I
> think it a pretty simple thing.
>
> My ipa-client installs appear to generate a new TLS/SSL/PKI cert for
> each host when they are registered.  I'd like to utilize that
> certificate with Apache/tomcat/etc..  I'm aware of how to obtain the
> certificate itself, however I'm not clear on how to obtain the private
> key (in a format that I can use as well) that was used to generate the
> certificate.
>
> Would someone kindly point me in the right direction or ideally just
> educate me on the command/options needed to do this.  In particular,
> I'm looking to create pem files for both the key and cert for use with
> Apache, but it would be useful to understand how to do it for other
> stores as well.  (Hint: this would be great to just have in a document
> that makes it clear). :)
>
> Thanks again to the freeipa team.  I love this product.
>
> -- Chris
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project