On 02/03/2016 12:42 AM, Christopher Young wrote: > I've been doing some reading and perhaps I'm confusing myself, but I > couldn't find any definitive guide on how to go about doing what I > think it a pretty simple thing. > > My ipa-client installs appear to generate a new TLS/SSL/PKI cert for > each host when they are registered. I'd like to utilize that > certificate with Apache/tomcat/etc.. I'm aware of how to obtain the > certificate itself, however I'm not clear on how to obtain the private > key (in a format that I can use as well) that was used to generate the > certificate. > > Would someone kindly point me in the right direction or ideally just > educate me on the command/options needed to do this. In particular, > I'm looking to create pem files for both the key and cert for use with > Apache, but it would be useful to understand how to do it for other > stores as well. (Hint: this would be great to just have in a document > that makes it clear). :)
Hi Chris, I do not think it is a good idea to do what you are doing :-) The host certificate does not need to be the same as Web certificate. From FreeIPA 4.1 (IIRC), it is not even requested by default on all clients. I would rather recommend generating a separate certificate for the Web UI, we have some walkthrough here: http://www.freeipa.org/page/PKI#Requesting_a_new_certificate > Thanks again to the freeipa team. I love this product. And I love to hear notes from the community like this, very rewarding! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
