I wondered about that, but the docs specifically say public key, and the command line option to "ipa vault-add" is "--public-key"
>From "ipa vault-add --help" --public-key=BYTES Vault public key --public-key-file=STR File containing the vault public key So I hope you can understand my confusion ;) Can anyone else speak to whether the newer versions of the vault code is any different? Thank you, Martin! On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti <[email protected]> wrote: > > > On 24.07.2016 16:33, Anthony Clark wrote: > > Hello All, > > I have a crazy notion of storing a host's SSH private keys in a ipa vault, > so that a rebuilt host can use the same keys. > > I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos > base repository, so I'm constrained to version 1.0 vaults. I'm using this > page: > http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance > > I'm trying these following steps but running into trouble: > > ipa service-add ssh/test01.dev.redacted.net > > certutil -N -d testcertdb > > certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net,O= > DEV.REDACTED.NET' > <paste that csr into the ipa web gui> > > ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/ > [email protected] > > ipa vault-add testsshd02 --service ssh/ > <[email protected]> > [email protected] --type asymmetric > --public-key-file testsshd01-cert.pem > > the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': > Invalid or unsupported vault public key: Could not unserialize key data." > > Is there a preferred way to create a public key for asymmetric encryption > for a service vault? > > Thanks, > > Anthony Clark > > > > Hello, > I suspect you should use just private key, not certificate > > https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL > > Regards, > Martin >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
