Re: [Freeipa-users] Replace with 3rd part certificates
Hi Rob, Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? You can file an RFE at https://fedorahosted.org/freeipa/newticket It seems that ipa-server-certinstall couldnt handle private keys with passwort, too. See my result below. i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the certificate import process at this point, so no change will happen to my productive ipa server ? I would not recommend experimenting with random certificates. It should be possible to add a password to your private key. A quick google found http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key Thats a great idea. I have done so and tested again: openssl rsa -des3 -in private.key -out private_key_with_pw.key ipa-server-certinstall -w certificate.pem private_key_with_pw.key After entering the password to unlock private key i get the message: Insufficient access: Invalid credentials Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Andreas Ladanyi wrote: Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? You can file an RFE at https://fedorahosted.org/freeipa/newticket i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the certificate import process at this point, so no change will happen to my productive ipa server ? I would not recommend experimenting with random certificates. It should be possible to add a password to your private key. A quick google found http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key rob regards, Andreas Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was generated without passwort. I tried out to press only the enter key, but it doesnt help. So iam confused. The certificate and keyfile are in PEM format. For testing I converted the private key with: openssl rsa -in -out because i want to know if openssl ask me for a password, but it doesnt. My version number is FreeIPA 4.1. regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Hi, is it possible that ipa-server-certinstall couldnt handle private keys without password ? i would test it with a self-signed certificate and test private key file secured with password, but i dont know whats happen after entering a valid private key unlock password. Could i stop the certificate import process at this point, so no change will happen to my productive ipa server ? regards, Andreas Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was generated without passwort. I tried out to press only the enter key, but it doesnt help. So iam confused. The certificate and keyfile are in PEM format. For testing I converted the private key with: openssl rsa -in -out because i want to know if openssl ask me for a password, but it doesnt. My version number is FreeIPA 4.1. regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
There were issues with 3rd party certs as of RHEL 7.2/4.2. If this is fixed in 7.3, that would be great, especially for Lets Encrypt certs (even without auto-renewal) On Fri, Jul 1, 2016 at 5:15 AM, Andreas Ladanyiwrote: > Hi, > > For the time being and as far as I can see until IPA 4.3.1, the > procedure is messy and difficult. > > The following thread will be a big help: > > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > > > I think I succeeded at last, but further tests remain. > Is it possible to backport the working procedure from 4.3.1 to 4.2 in > Fedora 23 ? > > > > > regards, > Andreas > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Hi, > For the time being and as far as I can see until IPA 4.3.1, the procedure is > messy and difficult. > The following thread will be a big help: > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > I think I succeeded at last, but further tests remain. Is it possible to backport the working procedure from 4.3.1 to 4.2 in Fedora 23 ? > > regards, Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
Hello, Am Montag, 27. Juni 2016, 12:43:13 CEST schrieb Bjarne Blichfeldt: > For the time being and as far as I can see until IPA 4.3.1, the procedure is > messy and difficult. The following thread will be a big help: > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html > > I think I succeeded at last, but further tests remain. > > > Regards, > Bjarne thank's for the info > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Andreas Ladanyi > Sent: 27. juni 2016 13:49 > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Replace with 3rd part certificates > > Hi, > > i try to replace the self signed certificate from the ipa installation with > this description: > > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > ipa-server-certinstall -w -d mysite.key mysite.crt > > The tool ask for the private key unlock passwort. The private key was > generated without passwort. I tried out to press only the enter key, but it > doesnt help. So iam confused. The certificate and keyfile are in PEM > format. > > For testing I converted the private key with: > > openssl rsa -in -out > > because i want to know if openssl ask me for a password, but it doesnt. > > My version number is FreeIPA 4.1. My version 4.3.1 ;-) -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace with 3rd part certificates
For the time being and as far as I can see until IPA 4.3.1, the procedure is messy and difficult. The following thread will be a big help: https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html I think I succeeded at last, but further tests remain. Regards, Bjarne -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Andreas Ladanyi Sent: 27. juni 2016 13:49 To: freeipa-users@redhat.com Subject: [Freeipa-users] Replace with 3rd part certificates Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was generated without passwort. I tried out to press only the enter key, but it doesnt help. So iam confused. The certificate and keyfile are in PEM format. For testing I converted the private key with: openssl rsa -in -out because i want to know if openssl ask me for a password, but it doesnt. My version number is FreeIPA 4.1. regards, Andreas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Replace with 3rd part certificates
Hi, i try to replace the self signed certificate from the ipa installation with this description: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP ipa-server-certinstall -w -d mysite.key mysite.crt The tool ask for the private key unlock passwort. The private key was generated without passwort. I tried out to press only the enter key, but it doesnt help. So iam confused. The certificate and keyfile are in PEM format. For testing I converted the private key with: openssl rsa -in -out because i want to know if openssl ask me for a password, but it doesnt. My version number is FreeIPA 4.1. regards, Andreas smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project