Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-06 Thread Andreas Ladanyi 

Hi Rob,

Hi,

is it possible that ipa-server-certinstall couldnt handle private keys
without password ?


You can file an RFE at https://fedorahosted.org/freeipa/newticket
It seems that ipa-server-certinstall couldnt handle private keys with 
passwort, too. See my result below.





i would test it with a self-signed certificate and test private key file
secured with password, but i dont know whats happen after entering a
valid private key unlock password. Could i stop the certificate import
process at this point, so no change will happen to my productive ipa
server ?


I would not recommend experimenting with random certificates.

It should be possible to add a password to your private key. A quick 
google found 
http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key

Thats a great idea. I have done so and tested again:

openssl rsa -des3 -in private.key -out private_key_with_pw.key

ipa-server-certinstall -w certificate.pem private_key_with_pw.key

After entering the password to unlock private key i get the message:

Insufficient access:  Invalid credentials



Andreas

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-06 Thread Rob Crittenden 

Andreas Ladanyi wrote:

Hi,

is it possible that ipa-server-certinstall couldnt handle private keys
without password ?


You can file an RFE at https://fedorahosted.org/freeipa/newticket


i would test it with a self-signed certificate and test private key file
secured with password, but i dont know whats happen after entering a
valid private key unlock password. Could i stop the certificate import
process at this point, so no change will happen to my productive ipa
server ?


I would not recommend experimenting with random certificates.

It should be possible to add a password to your private key. A quick 
google found 
http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key


rob



regards,
Andreas

Hi,

i try to replace the self signed certificate from the ipa installation
with this description:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-server-certinstall -w -d mysite.key mysite.crt

The tool ask for the private key unlock passwort. The private key was
generated without passwort. I tried out to press only the enter key, but
it doesnt help. So iam confused. The certificate and keyfile are in PEM
format.

For testing I converted the private key with:

openssl rsa -in -out

because i want to know if openssl ask me for a password, but it doesnt.

My version number is FreeIPA 4.1.


regards,
Andreas









--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-06 Thread Andreas Ladanyi 

Hi,

is it possible that ipa-server-certinstall couldnt handle private keys 
without password ?


i would test it with a self-signed certificate and test private key file 
secured with password, but i dont know whats happen after entering a 
valid private key unlock password. Could i stop the certificate import 
process at this point, so no change will happen to my productive ipa 
server ?


regards,
Andreas

Hi,

i try to replace the self signed certificate from the ipa installation
with this description:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-server-certinstall -w -d mysite.key mysite.crt

The tool ask for the private key unlock passwort. The private key was
generated without passwort. I tried out to press only the enter key, but
it doesnt help. So iam confused. The certificate and keyfile are in PEM
format.

For testing I converted the private key with:

openssl rsa -in -out

because i want to know if openssl ask me for a password, but it doesnt.

My version number is FreeIPA 4.1.


regards,
Andreas





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-01 Thread Prasun Gera 
There were issues with 3rd party certs as of RHEL 7.2/4.2. If this is fixed
in 7.3, that would be great, especially for Lets Encrypt certs (even
without auto-renewal)

On Fri, Jul 1, 2016 at 5:15 AM, Andreas Ladanyi 
wrote:

> Hi,
> > For the time being and as far as I can see until IPA 4.3.1, the
> procedure is messy and difficult.
> > The following thread will be a big help:
> > https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
> >
> > I think I succeeded at last, but further tests remain.
> Is it possible to backport the working procedure from 4.3.1 to 4.2 in
> Fedora 23 ?
> >
> >
> regards,
> Andreas
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-07-01 Thread Andreas Ladanyi 
Hi,
> For the time being and as far as I can see until IPA 4.3.1, the procedure is 
> messy and difficult.
> The following thread will be a big help:
> https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
>
> I think I succeeded at last, but further tests remain.
Is it possible to backport the working procedure from 4.3.1 to 4.2 in
Fedora 23 ?
>
>
regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-06-27 Thread Günther J . Niederwimmer 
Hello,

Am Montag, 27. Juni 2016, 12:43:13 CEST schrieb Bjarne Blichfeldt:
> For the time being and as far as I can see until IPA 4.3.1, the procedure is
> messy and difficult. The following thread will be a big help:
> https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
> 
> I think I succeeded at last, but further tests remain.
> 
> 
> Regards,
> Bjarne

thank's for the info

> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Andreas Ladanyi
> Sent: 27. juni 2016 13:49
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] Replace with 3rd part certificates
> 
> Hi,
> 
> i try to replace the self signed certificate from the ipa installation with
> this description:
> 
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> 
> ipa-server-certinstall -w -d mysite.key mysite.crt
> 
> The tool ask for the private key unlock passwort. The private key was
> generated without passwort. I tried out to press only the enter key, but it
> doesnt help. So iam confused. The certificate and keyfile are in PEM
> format.
> 
> For testing I converted the private key with:
> 
> openssl rsa -in -out
> 
> because i want to know if openssl ask me for a password, but it doesnt.
> 
> My version number is FreeIPA 4.1.

My version 4.3.1 ;-)

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replace with 3rd part certificates

2016-06-27 Thread Bjarne Blichfeldt 
For the time being and as far as I can see until IPA 4.3.1, the procedure is 
messy and difficult.
The following thread will be a big help:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html

I think I succeeded at last, but further tests remain.


Regards,
Bjarne


-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Andreas Ladanyi
Sent: 27. juni 2016 13:49
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Replace with 3rd part certificates

Hi,

i try to replace the self signed certificate from the ipa installation with 
this description:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-server-certinstall -w -d mysite.key mysite.crt

The tool ask for the private key unlock passwort. The private key was generated 
without passwort. I tried out to press only the enter key, but it doesnt help. 
So iam confused. The certificate and keyfile are in PEM format.

For testing I converted the private key with:

openssl rsa -in -out

because i want to know if openssl ask me for a password, but it doesnt.

My version number is FreeIPA 4.1.


regards,
Andreas


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replace with 3rd part certificates

2016-06-27 Thread Andreas Ladanyi 
Hi,

i try to replace the self signed certificate from the ipa installation
with this description:

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

ipa-server-certinstall -w -d mysite.key mysite.crt

The tool ask for the private key unlock passwort. The private key was
generated without passwort. I tried out to press only the enter key, but
it doesnt help. So iam confused. The certificate and keyfile are in PEM
format.

For testing I converted the private key with:

openssl rsa -in -out

because i want to know if openssl ask me for a password, but it doesnt.

My version number is FreeIPA 4.1.


regards,
Andreas



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project