Re: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??
On Fri, Apr 27, 2012 at 02:52:20PM -0400, Dmitri Pal wrote: >I thought that there was a flag for ipa-getkeytab to fetch existing key >but my knowledge in this area is rusty. Same with the cert. >May be someone else would chime in. There's a way for certificates, at least. If you still have the matching private key on the host (unless I'm mistaken, we don't have optional escrow yet, so if you don't have the private key, you're out of luck, and there's no point in bothering with any of this), you should be able to dig up the corresponding certificate. Since the regular IPA machinery already knows how to pull up a certificate if you know its serial number, we just need to figure out the serial number. On the server, we search Dogtag's directory server instance by running: DOMAIN=EXAMPLE.COM FQDN=clientbox1.example.com ldapsearch -h localhost:7389 -x -D "cn=Directory Manager" -W \ -b ou=certificateRepository,ou=ca,o=ipaca \ subjectname="cn=$FQDN",o=$DOMAIN cn serialno We'll need to supply the directory server administrator password. We'll get back the "cn" and "serialno" values for any matching entries. The "cn" values appear to be the serial numbers. If multiple certificates were issued to the host, we'll get more than one serial number back. We can pass any of them to "ipa cert-show" to retrieve the certificate with that was issued with that serial number. The "Certificate:" value is base64 without a header or footer, but we can pipe the whole value through OpenSSL's utility to both make sure we have the whole thing, and clean it up in the process. Run this command, and copy/paste the value into it: openssl base64 -d | openssl x509 -inform der The result can be stored in the relevant file for use with OpenSSL, or imported into the relevant database for use with NSS. Like Stephen noted about keytabs, though, there should be no harm in just issuing a new certificate for the host in question. Certificates are always issued with limited validity periods, so anything that breaks when if/when a certificate is replaced needs to be fixed anyway. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??
On Thu, 2012-04-26 at 19:58 -0700, David Copperfield wrote: > Hi, > > > Just have a silly case where I've to download the existing version > keytab for a service principal. It is download only -- not recreate a > new version and download the new version which ipa-getkeytab does. -- > ipa-getkeytab command name seems a little bit misleading because it > does both 'set' and 'get' operations. Well, this is actually intentional. I'm curious what your reasoning is for wanting to access the original key. There really isn't any downside to just pulling a brand-new one for a host, and the upside is that you just rolled your keys, so if they happened to be compromised, you're safe now. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??
On 04/26/2012 10:58 PM, David Copperfield wrote: > Hi, > > Just have a silly case where I've to download the existing version > keytab for a service principal. It is download only -- not recreate a > new version and download the new version which ipa-getkeytab does. -- > ipa-getkeytab command name seems a little bit misleading because it > does both 'set' and 'get' operations. > > I've overheard that there is way to get it from underlying 389 > directory server but not sure how to do it. Any one please shed a > light on this? Similarly, how to download a host certificate form > Dogtag because 'ipa-getcert request' also resetting it -- I may be > wrong and so please feel free to correct me :); or how about a user > principal's keytab from 389 too? Thanks a lot. > > --David > Is it a one time operation? If so you can use ldapsearch utility. The object that will have ipaHost object class in IPA. You can use a Directory Manager credential to authenticate. I suggest you do it on the server and then deliver the key and the cert manually. I thought that there was a flag for ipa-getkeytab to fetch existing key but my knowledge in this area is rusty. Same with the cert. May be someone else would chime in. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem: How to download the keytab from IPA without resetting/regenerating a new one??
Hi, Just have a silly case where I've to download the existing version keytab for a service principal. It is download only -- not recreate a new version and download the new version which ipa-getkeytab does. -- ipa-getkeytab command name seems a little bit misleading because it does both 'set' and 'get' operations. I've overheard that there is way to get it from underlying 389 directory server but not sure how to do it. Any one please shed a light on this? Similarly, how to download a host certificate form Dogtag because 'ipa-getcert request' also resetting it -- I may be wrong and so please feel free to correct me :); or how about a user principal's keytab from 389 too? Thanks a lot. --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users