Re: [Freeipa-users] service cert to a host/member/service
lejeczek wrote: On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: lejeczek wrote: hi users, as one follows official docs and issues a certificate for a service/host, one wonders what is the correct way to move such a certificate to a host(which is domain member) ? I understand certificates issued with: $ ipa cert-request -add --principal are stored in ldap backend, (yet I don't quite get the difference between that tool and ipa-certget). The first uses the IPA command-line to get a cert directly. ipa-getcert uses certmonger. If you are getting a certificate for another host, particularly if that host isn't an IPA client, then the first form is the way to go. How do I get such a certificate off the server and to a host-not-server? $ ipa cert-show--out cert.pem In my case I'm hoping to use this certificate in apache+nss. I realize I also will need CA certificate on that host, which I got hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? So in this case you'd want to generate the CSR on the host-not-server using certutil. You'd take that CSR to the enrolled host and run ipa cert-request ... Get a copy of the cert and get that and /etc/ipa/ca.crt to the Is this the only place where IPA' CA cert resides? I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN $ certutil -d /etc/dirsrv/slapd-MY.. gets me: MY-DOMAIN IPA CACT,C,C Server-Certu,u,u what is that IPA CA then? I also see the same with: $ certutil -d /etc/httpd/alias -L Is this the same one certificate? (including /etc/ipa/ca.crt) Yes, these are all (or should be) the same (there is a copy in LDAP too). I get these with: ipa-getcert list I'm guessing these are set up by installer and to be managed by certmonger, for DS and web server for certificates auto management purposes? Yes, certmonger manages automatic renewal. rob many thanks. host-not-server. Use certutil to add both to your NSS database. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service cert to a host/member/service
On 05/05/2016 11:44 AM, lejeczek wrote: > On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: >> lejeczek wrote: >>> hi users, as one follows official docs and issues a certificate for a >>> service/host, one wonders what is the correct way to move such a >>> certificate >>> to a host(which is domain member) ? I understand certificates issued with: >>> $ >>> ipa cert-request -add --principal are stored in ldap backend, (yet I >>> don't >>> quite get the difference between that tool and ipa-certget). >> >> >> The first uses the IPA command-line to get a cert directly. ipa-getcert >> uses certmonger. >> >> If you are getting a certificate for another host, particularly if that >> host isn't an IPA client, then the first form is the way to go. >> >>> How do I get such a certificate off the server and to a host-not-server? >> >> >> $ ipa cert-show--out cert.pem >> >>> In my case I'm hoping to use this certificate in apache+nss. I realize I >>> also >>> will need CA certificate on that host, which I got hold of with certutil >>> operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? >> >> >> So in this case you'd want to generate the CSR on the host-not-server >> using certutil. You'd take that CSR to the enrolled host and run ipa >> cert-request ... >> >> Get a copy of the cert and get that and /etc/ipa/ca.crt to the > Is this the only place where IPA' CA cert resides? > I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN > $ certutil -d /etc/dirsrv/slapd-MY.. > gets me: > > MY-DOMAIN IPA CACT,C,C > Server-Certu,u,u > > what is that IPA CA then? > I also see the same with: > $ certutil -d /etc/httpd/alias -L > Is this the same one certificate? (including /etc/ipa/ca.crt) > > I get these with: ipa-getcert list > I'm guessing these are set up by installer and to be managed by certmonger, > for > DS and web server for certificates auto management purposes? You can use generic `getcert` tool to get all certs managed by certmonger and their location. It will show you also PKI internal certs. # getcert list `ipa-getcert list` is equivalent to `getcert list -c IPA` > > many thanks. > >> host-not-server. >> >> Use certutil to add both to your NSS database. >> >> rob >> > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service cert to a host/member/service
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: > lejeczek wrote: > > hi users, > > > > as one follows official docs and issues a certificate for a > > service/host, one wonders what is the correct way to move such a > > certificate to a host(which is domain member) ? > > I understand certificates issued with: > > > > $ ipa cert-request -add --principal > > > > are stored in ldap backend, (yet I don't quite get the difference > > between that tool and ipa-certget). > > The first uses the IPA command-line to get a cert directly. ipa- > getcert > uses certmonger. > > If you are getting a certificate for another host, particularly if > that > host isn't an IPA client, then the first form is the way to go. > > > How do I get such a certificate off the server and to a host-not- > > server? > > $ ipa cert-show--out cert.pem > > > In my case I'm hoping to use this certificate in apache+nss. > > I realize I also will need CA certificate on that host, which I got > > hold > > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's > > the > > right way? > > So in this case you'd want to generate the CSR on the host-not- > server > using certutil. You'd take that CSR to the enrolled host and run ipa > cert-request ... > > Get a copy of the cert and get that and /etc/ipa/ca.crt to the Is this the only place where IPA' CA cert resides? I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN $ certutil -d /etc/dirsrv/slapd-MY.. gets me: MY-DOMAIN IPA CACT,C,C Server-Cert u,u,u what is that IPA CA then? I also see the same with: $ certutil -d /etc/httpd/alias -L Is this the same one certificate? (including /etc/ipa/ca.crt) I get these with: ipa-getcert list I'm guessing these are set up by installer and to be managed by certmonger, for DS and web server for certificates auto management purposes? many thanks. > host-not-server. > > Use certutil to add both to your NSS database. > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service cert to a host/member/service
lejeczek wrote: hi users, as one follows official docs and issues a certificate for a service/host, one wonders what is the correct way to move such a certificate to a host(which is domain member) ? I understand certificates issued with: $ ipa cert-request -add --principal are stored in ldap backend, (yet I don't quite get the difference between that tool and ipa-certget). The first uses the IPA command-line to get a cert directly. ipa-getcert uses certmonger. If you are getting a certificate for another host, particularly if that host isn't an IPA client, then the first form is the way to go. How do I get such a certificate off the server and to a host-not-server? $ ipa cert-show--out cert.pem In my case I'm hoping to use this certificate in apache+nss. I realize I also will need CA certificate on that host, which I got hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way? So in this case you'd want to generate the CSR on the host-not-server using certutil. You'd take that CSR to the enrolled host and run ipa cert-request ... Get a copy of the cert and get that and /etc/ipa/ca.crt to the host-not-server. Use certutil to add both to your NSS database. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] service cert to a host/member/service
hi users, as one follows official docs and issues a certificate for a service/host, one wonders what is the correct way to move such a certificate to a host(which is domain member) ? I understand certificates issued with: $ ipa cert-request -add --principal are stored in ldap backend, (yet I don't quite get the difference between that tool and ipa-certget). How do I get such a certificate off the server and to a host-not- server? In my case I'm hoping to use this certificate in apache+nss. I realize I also will need CA certificate on that host, which I got hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way?##SELECTION_END## many thanks. L-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project