subject:"\[Freeipa\-users\] service cert to a host\/member\/service"

Re: [Freeipa-users] service cert to a host/member/service

2016-05-05 Thread Rob Crittenden


lejeczek wrote:

On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:

lejeczek wrote:

hi users, as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ? I understand
certificates issued with: $ ipa cert-request -add --principal are
stored in ldap backend, (yet I don't quite get the difference between
that tool and ipa-certget).



The first uses the IPA command-line to get a cert directly. ipa-getcert
uses certmonger.

If you are getting a certificate for another host, particularly if that
host isn't an IPA client, then the first form is the way to go.


How do I get such a certificate off the server and to a host-not-server?



$ ipa cert-show  --out cert.pem


In my case I'm hoping to use this certificate in apache+nss. I
realize I also will need CA certificate on that host, which I got
hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if
it's the right way?



So in this case you'd want to generate the CSR on the host-not-server
using certutil. You'd take that CSR to the enrolled host and run ipa
cert-request ...

Get a copy of the cert and get that and /etc/ipa/ca.crt to the

Is this the only place where IPA' CA cert resides?
I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
$ certutil -d /etc/dirsrv/slapd-MY..
gets me:

MY-DOMAIN IPA CACT,C,C
Server-Certu,u,u

what is that IPA CA then?
I also see the same with:
$ certutil -d /etc/httpd/alias -L
Is this the same one certificate? (including /etc/ipa/ca.crt)


Yes, these are all (or should be) the same (there is a copy in LDAP too).


I get these with: ipa-getcert list
I'm guessing these are set up by installer and to be managed by
certmonger, for DS and web server for certificates auto management purposes?


Yes, certmonger manages automatic renewal.

rob


many thanks.


host-not-server.

Use certutil to add both to your NSS database.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service cert to a host/member/service

2016-05-05 Thread Petr Vobornik

On 05/05/2016 11:44 AM, lejeczek wrote:
> On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
>> lejeczek wrote:
>>> hi users, as one follows official docs and issues a certificate for a 
>>> service/host, one wonders what is the correct way to move such a 
>>> certificate 
>>> to a host(which is domain member) ? I understand certificates issued with: 
>>> $ 
>>> ipa cert-request -add --principal are stored in ldap backend, (yet I 
>>> don't 
>>> quite get the difference between that tool and ipa-certget). 
>>
>>
>> The first uses the IPA command-line to get a cert directly. ipa-getcert
>> uses certmonger.
>>
>> If you are getting a certificate for another host, particularly if that
>> host isn't an IPA client, then the first form is the way to go.
>>
>>> How do I get such a certificate off the server and to a host-not-server? 
>>
>>
>> $ ipa cert-show  --out cert.pem
>>
>>> In my case I'm hoping to use this certificate in apache+nss. I realize I 
>>> also 
>>> will need CA certificate on that host, which I got hold of with certutil 
>>> operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? 
>>
>>
>> So in this case you'd want to generate the CSR on the host-not-server
>> using certutil. You'd take that CSR to the enrolled host and run ipa
>> cert-request ...
>>
>> Get a copy of the cert and get that and /etc/ipa/ca.crt to the
> Is this the only place where IPA' CA cert resides?
> I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
> $ certutil -d /etc/dirsrv/slapd-MY..
> gets me:
> 
> MY-DOMAIN IPA CACT,C,C
> Server-Certu,u,u
> 
> what is that IPA CA then?
> I also see the same with:
> $ certutil -d /etc/httpd/alias -L
> Is this the same one certificate? (including /etc/ipa/ca.crt)
> 
> I get these with: ipa-getcert list
> I'm guessing these are set up by installer and to be managed by certmonger, 
> for 
> DS and web server for certificates auto management purposes?

You can use generic `getcert` tool to get all certs managed by
certmonger and their location. It will show you also PKI internal certs.

  # getcert list

`ipa-getcert list` is equivalent to `getcert list -c IPA`

> 
> many thanks.
> 
>> host-not-server.
>>
>> Use certutil to add both to your NSS database.
>>
>> rob
>>
> 
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service cert to a host/member/service

2016-05-05 Thread lejeczek

On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
> lejeczek wrote:
> > hi users,
> > 
> > as one follows official docs and issues a certificate for a
> > service/host, one wonders what is the correct way to move such a
> > certificate to a host(which is domain member) ?
> > I understand certificates issued with:
> > 
> > $ ipa cert-request -add --principal
> > 
> > are stored in ldap backend, (yet I don't quite get the difference
> > between that tool and ipa-certget).
> 
> The first uses the IPA command-line to get a cert directly. ipa-
> getcert 
> uses certmonger.
> 
> If you are getting a certificate for another host, particularly if
> that 
> host isn't an IPA client, then the first form is the way to go.
> 
> > How do I get such a certificate off the server and to a host-not-
> > server?
> 
> $ ipa cert-show  --out cert.pem
> 
> > In my case I'm hoping to use this certificate in apache+nss.
> > I realize I also will need CA certificate on that host, which I got
> > hold
> > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's
> > the
> > right way?
> 
> So in this case you'd want to generate the CSR on the host-not-
> server 
> using certutil. You'd take that CSR to the enrolled host and run ipa 
> cert-request ...
> 
> Get a copy of the cert and get that and /etc/ipa/ca.crt to the 
Is this the only place where IPA' CA cert resides?
I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN
$ certutil -d /etc/dirsrv/slapd-MY.. 
gets me:
MY-DOMAIN IPA CACT,C,C
Server-Cert u,u,u
what is that IPA CA then?
I also see the same with:
$ certutil -d /etc/httpd/alias -L
Is this the same one certificate? (including /etc/ipa/ca.crt)
I get these with: ipa-getcert list
I'm guessing these are set up by installer and to be managed by
certmonger, for DS and web server for certificates auto management
purposes?
many thanks.
> host-not-server.
> 
> Use certutil to add both to your NSS database.
> 
> rob
> 
> 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service cert to a host/member/service

2016-05-04 Thread Rob Crittenden


lejeczek wrote:

hi users,

as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ?
I understand certificates issued with:

$ ipa cert-request -add --principal

are stored in ldap backend, (yet I don't quite get the difference
between that tool and ipa-certget).


The first uses the IPA command-line to get a cert directly. ipa-getcert 
uses certmonger.


If you are getting a certificate for another host, particularly if that 
host isn't an IPA client, then the first form is the way to go.



How do I get such a certificate off the server and to a host-not-server?


$ ipa cert-show  --out cert.pem


In my case I'm hoping to use this certificate in apache+nss.
I realize I also will need CA certificate on that host, which I got hold
of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the
right way?


So in this case you'd want to generate the CSR on the host-not-server 
using certutil. You'd take that CSR to the enrolled host and run ipa 
cert-request ...


Get a copy of the cert and get that and /etc/ipa/ca.crt to the 
host-not-server.


Use certutil to add both to your NSS database.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] service cert to a host/member/service

2016-05-04 Thread lejeczek

hi users,

as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ?
I understand certificates issued with:

$ ipa cert-request -add --principal

are stored in ldap backend, (yet I don't quite get the difference
between that tool and ipa-certget).
How do I get such a certificate off the server and to a host-not-
server?
In my case I'm hoping to use this certificate in apache+nss.
I realize I also will need CA certificate on that host, which I got
hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's
the right way?##SELECTION_END##

many thanks.
L-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service cert to a host/member/service

Re: [Freeipa-users] service cert to a host/member/service

Re: [Freeipa-users] service cert to a host/member/service

Re: [Freeipa-users] service cert to a host/member/service

[Freeipa-users] service cert to a host/member/service

5 matches

Site Navigation

Mail list logo

Footer information