MachinePrivateCertWithEL7: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 7: | Line 7: | ||
Don't forget to add the '--request-cert' option in the 'ipa-client-install' command, otherwise certificate won't be generated. | Don't forget to add the '--request-cert' option in the 'ipa-client-install' command, otherwise certificate won't be generated. | ||
== How to retrieve the cert and the | == How to retrieve the CA cert, the hostcert and the hostkey == | ||
* To | * To get the CA cert : | ||
<pre> | <pre> | ||
certutil -L -d /etc/ipa/nssdb/ -a -n 'Local IPA host' | certutil -L -d /etc/ipa/nssdb -a -n 'WN.IIHE.AC.BE IPA CA' > ca.pem | ||
</pre> | |||
* To get the hostcert : | |||
<pre> | |||
certutil -L -d /etc/ipa/nssdb/ -a -n 'Local IPA host' > hostcert.pem | |||
</pre> | |||
* To get the private key : | |||
<pre> | |||
pk12util -o keys.p12 -n 'Local IPA host' -d /etc/ipa/nssdb -W '' -k /etc/ipa/nssdb/pwdfile.txt | |||
openssl pkcs12 -in keys.p12 -out hostkey.pem -nodes -password pass:'' | |||
</pre> | </pre> | ||
Latest revision as of 12:34, 1 March 2017
What has changed with EL7
With EL7 comes the new ipa client tools release 4, that brings the following changes :
- the path of nssdb is /etc/ipa/nssdb (and not /etc/pki/nssdb);
- unless explicitly asked for, the certificate generation and installation is not done anymore.
Enrollment
Don't forget to add the '--request-cert' option in the 'ipa-client-install' command, otherwise certificate won't be generated.
How to retrieve the CA cert, the hostcert and the hostkey
- To get the CA cert :
certutil -L -d /etc/ipa/nssdb -a -n 'WN.IIHE.AC.BE IPA CA' > ca.pem
- To get the hostcert :
certutil -L -d /etc/ipa/nssdb/ -a -n 'Local IPA host' > hostcert.pem
- To get the private key :
pk12util -o keys.p12 -n 'Local IPA host' -d /etc/ipa/nssdb -W '' -k /etc/ipa/nssdb/pwdfile.txt openssl pkcs12 -in keys.p12 -out hostkey.pem -nodes -password pass:''