On 3/19/19 7:07 PM, Azim Siddiqui wrote:
Hi,
I was wondering is there any way, I can extract the private key and certificate from nssdb directory? Bcoz the one key i have is not matching to the certifficate.
Hi I am insisting, but please keep freeipa-users in copy.
What do you mean by "extract"? Do you want to remove the key from the nssdb? or transform it into another format? To remove a private key from a nssdb, use the certutil command with -F option. You can find the full format in the man page certutil(1).
If you want to create a PKCS12 file containing the private key and certificate: pk12util -o keys.p12 -n $alias -d $NSSDB
If you want a PEM file containing the private key: pk12util -o keys.p12 -n $alias -d $NSSDB openssl pkcs12 -in keys.p12 -out cert.key -nodes
If you want a PEM file containing the cert: certutil -L -d $NSSDB -n $alias -a -o cert.pem
But first of all, which NSSDB directory are you working with? A NSSDB can contain multiple keys and certificates, and also certificates without matching private keys. Can you show the content of your NSSDB? certutil -L -d $NSSDB certutil -K -d $NSSDB
flo
Thanks, Azeem
On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 3/19/19 4:18 PM, Azim Siddiqui wrote: > Hi Florence, > > Thanks for the info. I will check for the ipa cert-find command and will > send you the output. Actually, when I am trying to do $ kinit admin it > is asking for a password. And I am not sure about the password, as I > said it was set by the previous system admin. > Hi (re-adding freeipa-users in cc) if you do kinit -kt /etc/krb5.keytab you should also have enough permissions to perform ipa cert-find. > And also I can see there is nssdb directory on the server. Do you by any > chance know, what is that for? There are many nssdb directories on a FreeIPA system. For instance /etc/ipa/nssdb is the NSS database used by the ipa * commands. It contains the certificates of the trusted certificate authorities. You can find more information re. NSS databases in the man page for certutil(1). > > If I have the private key on the server, how can I renew the certificate > signed by IPA. can you please provide me the steps. If you have the private key in $NSSDB database you just need to follow the steps provided in my first email (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/). flo > > thanks & Regards, > Azeem > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > Hi Florence, > > > > Thanks for your reply. > > I am referring to the applications. For example, we have > > Apache,haproxy,jenkins,git which uses certs signed by IPA. And > now when > > I am browsing these applications urls. It is showing, this site > is not > > secured. > > And originally, This cert were created by a system admin, who is not > > working with us now. So its getting hard for me to figure out, > how can I > > create or renew the certs. > > > > And I don't see any files ssl.conf or nss.conf in the server. > > The output for getcert list command shows this :- > > getcert list > > Number of certificates and requests being tracked: 0. > > > > > > I just want to create a crt and key file signed by IPA. So that I > can > > use it for the browsers. > Hi, > > please keep the users mailing list in cc, so that everyone can get > involved/see the resolution. > > It is difficult to provide advice with so few information. Can you > start > by checking which certificates were already issued by FreeIPA, and > we'll > see if they are expired? > > $ kinit admin > $ ipa cert-find > > With the full output and based on the subject you'll be able to > identify > the host or service certs that you are using for your applications. For > each of these certs, run > $ kinit admin > $ ipa cert-show <serial number> > and the output will show if the cert is expired (check the Not After > field). > > For an expired cert, you will be able to renew the cert if you still > have the private key. The private key location can be found by checking > the configuration of your applications. > For instance apache on rhel or fedora stores its config in > /etc/httpd/conf/httpd.conf, which by default loads the modules in > conf.modules.d/*.conf and the config files in conf.d/*.conf. > > flo > > > > Thanks, > > Azeem > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote: > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote: > > > Hi Florence, > > > > > > Hope you are doing good. I tried the way you said. But > still, it is > > > showing certificate is expired. > > > > > > Let me be more clear about it. > > > > > > We have apache running with an expired certificate which is > > signed by > > > FreeIPA. Now I want to renew or create a new certificate. > So can you > > > please tell me how can I renew or create a new certificate > signed by > > > Freeipa. > > > As whenever I am going to the Apache URL from the browser, > it is > > showing > > > site is not secured. > > > > > > Thanks & Regards, > > > Azeem > > > > > Hi, > > > > (re-adding freeipa-users in CC). > > Can you first confirm that you are referring to a cert for > the apache > > server *not running on one of the FreeIPA masters*? > > > > Then please explain how you originally obtained the > certificate. Also > > include the following information: > > - relevant apache configuration (if using mod_ssl, then > > /etc/httpd/conf.d/ssl.conf or if using mod_nss, > > /etc/httpd/conf.d/nss.conf). > > - output of getcert list on the host running apache > > > > flo > > > > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote: > > > > > > On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users > wrote: > > > > Hello, > > > > > > > > Hope you are doing good. I have a question regarding > > freeIPA host > > > > certificates. > > > > We are using FreeIPA as our LDAP. We have some > > certificates for > > > hosts ex > > > > :- http/uat.com <http://uat.com> <http://uat.com> <http://uat.com> > <http://uat.com> > > <http://uat.com>. > > > > And we deploying the certs in Haproxy in PEM format. > > > > But the certificates for this host has been expired. > > > > Can you please let me know in detail how to renew > my expired > > > > certificates for the hosts. Please provide me the > commands > > and steps. > > > > > > > Hi, > > > > > > from your description I understand that you are > referring to > > > certificates delivered by IPA CA for one of the > IPA-enrolled > > hosts, but > > > not the master's Server-Cert used for IPA Web GUI. > > > > > > In this case, how did you obtain the certificate? If > you used > > a method > > > similar to what is described in this wiki [1], the > certificate > > > should be > > > monitored by certmonger and automatically renewed. > > > > > > If you followed instead this wiki [2], the certificate > is not > > > tracked by > > > certmonger and needs to be manually renewed. You need > to do the > > > following, assuming that the cert is in a NSS database > $NSSDB > > on the > > > IPA > > > client: > > > - find the key nickname > > > # certutil -K -d $NSSDB > > > certutil: Checking token "NSS Certificate DB" in slot "NSS > > User Private > > > Key and Certificate Services" > > > Enter Password or Pin for "NSS Certificate DB": > > > < 0> rsa > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > Certificate > > > DB:Server-Cert > > > (note the key nickname for the next command) > > > > > > - create a new certificate request that will re-use the > > existing key > > > (replace DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> <http://DOMAIN.COM> > > with your IPA domain, in > > > uppercase): > > > # certutil -R -d $NSSDB -k "NSS Certificate > DB:Server-Cert" -s > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr > > > Enter Password or Pin for "NSS Certificate DB": > > > > > > - request a certificate using the new certificate request > > > # kinit admin > > > # ipa cert-request --principal=HTTP/`hostname` > /tmp/web.csr > > > (the output will display a Serial Number that needs to be > > noted for the > > > next command) > > > > > > - remove the previous cert from the NSS database: > > > # certutil -D -d $NSSDB -n Server-Cert > > > > > > - export the certificate to a file, then import the > > certificate in the > > > NSS database: > > > # ipa cert-show $SERIAL_NUMBER --out=/tmp/server.crt > > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i > > /tmp/server.crt > > > > > > HTH, > > > flo > > > > > > [1] > > > > > > https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger > > > [2] > https://www.freeipa.org/page/PKI#Manual_certificate_requests > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > Thanks & Regards, > > > > Azeem > > > > > > > > > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > To unsubscribe send an email to > > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > Fedora Code of Conduct: > > https://getfedora.org/code-of-conduct.html > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > >
Hi Florence,
I want to extract the private key and certificate to a PEM file. I am talking about the nssdb which is located in /etc/pki path.
Content of nssdb :- certutil -L -d /etc/pki/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IPA.CLEAR-MARKETS.COM IPA CA CT,C,C
Is this the correct directory to extract the private key and certificate? Will it work if I extract the private key from nssdb and renew the certificate?
Thanks & Regards, Azeem
On Thu, 21 Mar 2019 at 05:00, Florence Blanc-Renaud flo@redhat.com wrote:
On 3/19/19 7:07 PM, Azim Siddiqui wrote:
Hi,
I was wondering is there any way, I can extract the private key and certificate from nssdb directory? Bcoz the one key i have is not matching to the certifficate.
Hi I am insisting, but please keep freeipa-users in copy.
What do you mean by "extract"? Do you want to remove the key from the nssdb? or transform it into another format? To remove a private key from a nssdb, use the certutil command with -F option. You can find the full format in the man page certutil(1).
If you want to create a PKCS12 file containing the private key and certificate: pk12util -o keys.p12 -n $alias -d $NSSDB
If you want a PEM file containing the private key: pk12util -o keys.p12 -n $alias -d $NSSDB openssl pkcs12 -in keys.p12 -out cert.key -nodes
If you want a PEM file containing the cert: certutil -L -d $NSSDB -n $alias -a -o cert.pem
But first of all, which NSSDB directory are you working with? A NSSDB can contain multiple keys and certificates, and also certificates without matching private keys. Can you show the content of your NSSDB? certutil -L -d $NSSDB certutil -K -d $NSSDB
flo
Thanks, Azeem
On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 3/19/19 4:18 PM, Azim Siddiqui wrote: > Hi Florence, > > Thanks for the info. I will check for the ipa cert-find command and will > send you the output. Actually, when I am trying to do $ kinit admin it > is asking for a password. And I am not sure about the password,
as I
> said it was set by the previous system admin. > Hi (re-adding freeipa-users in cc) if you do kinit -kt /etc/krb5.keytab you should also have enough permissions to perform ipa cert-find. > And also I can see there is nssdb directory on the server. Do you by any > chance know, what is that for? There are many nssdb directories on a FreeIPA system. For instance /etc/ipa/nssdb is the NSS database used by the ipa * commands. It contains the certificates of the trusted certificate authorities. You can find more information re. NSS databases in the man page for certutil(1). > > If I have the private key on the server, how can I renew the certificate > signed by IPA. can you please provide me the steps. If you have the private key in $NSSDB database you just need to
follow
the steps provided in my first email (
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... ).
flo > > thanks & Regards, > Azeem > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > Hi Florence, > > > > Thanks for your reply. > > I am referring to the applications. For example, we have > > Apache,haproxy,jenkins,git which uses certs signed by IPA.
And
> now when > > I am browsing these applications urls. It is showing, this site > is not > > secured. > > And originally, This cert were created by a system admin, who is not > > working with us now. So its getting hard for me to figure
out,
> how can I > > create or renew the certs. > > > > And I don't see any files ssl.conf or nss.conf in the
server.
> > The output for getcert list command shows this :- > > getcert list > > Number of certificates and requests being tracked: 0. > > > > > > I just want to create a crt and key file signed by IPA. So that I > can > > use it for the browsers. > Hi, > > please keep the users mailing list in cc, so that everyone can get > involved/see the resolution. > > It is difficult to provide advice with so few information. Can you > start > by checking which certificates were already issued by FreeIPA, and > we'll > see if they are expired? > > $ kinit admin > $ ipa cert-find > > With the full output and based on the subject you'll be able
to
> identify > the host or service certs that you are using for your applications. For > each of these certs, run > $ kinit admin > $ ipa cert-show <serial number> > and the output will show if the cert is expired (check the Not After > field). > > For an expired cert, you will be able to renew the cert if you still > have the private key. The private key location can be found by checking > the configuration of your applications. > For instance apache on rhel or fedora stores its config in > /etc/httpd/conf/httpd.conf, which by default loads the
modules in
> conf.modules.d/*.conf and the config files in conf.d/*.conf. > > flo > > > > Thanks, > > Azeem > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote: > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote: > > > Hi Florence, > > > > > > Hope you are doing good. I tried the way you said.
But
> still, it is > > > showing certificate is expired. > > > > > > Let me be more clear about it. > > > > > > We have apache running with an expired certificate which is > > signed by > > > FreeIPA. Now I want to renew or create a new certificate. > So can you > > > please tell me how can I renew or create a new certificate > signed by > > > Freeipa. > > > As whenever I am going to the Apache URL from the browser, > it is > > showing > > > site is not secured. > > > > > > Thanks & Regards, > > > Azeem > > > > > Hi, > > > > (re-adding freeipa-users in CC). > > Can you first confirm that you are referring to a cert
for
> the apache > > server *not running on one of the FreeIPA masters*? > > > > Then please explain how you originally obtained the > certificate. Also > > include the following information: > > - relevant apache configuration (if using mod_ssl, then > > /etc/httpd/conf.d/ssl.conf or if using mod_nss, > > /etc/httpd/conf.d/nss.conf). > > - output of getcert list on the host running apache > > > > flo > > > > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote: > > > > > > On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users > wrote: > > > > Hello, > > > > > > > > Hope you are doing good. I have a question regarding > > freeIPA host > > > > certificates. > > > > We are using FreeIPA as our LDAP. We have
some
> > certificates for > > > hosts ex > > > > :- http/uat.com <http://uat.com> <http://uat.com> <http://uat.com> > <http://uat.com> > > <http://uat.com>. > > > > And we deploying the certs in Haproxy in PEM format. > > > > But the certificates for this host has been expired. > > > > Can you please let me know in detail how to renew > my expired > > > > certificates for the hosts. Please provide me the > commands > > and steps. > > > > > > > Hi, > > > > > > from your description I understand that you are > referring to > > > certificates delivered by IPA CA for one of the > IPA-enrolled > > hosts, but > > > not the master's Server-Cert used for IPA Web
GUI.
> > > > > > In this case, how did you obtain the certificate? If > you used > > a method > > > similar to what is described in this wiki [1],
the
> certificate > > > should be > > > monitored by certmonger and automatically
renewed.
> > > > > > If you followed instead this wiki [2], the certificate > is not > > > tracked by > > > certmonger and needs to be manually renewed. You need > to do the > > > following, assuming that the cert is in a NSS database > $NSSDB > > on the > > > IPA > > > client: > > > - find the key nickname > > > # certutil -K -d $NSSDB > > > certutil: Checking token "NSS Certificate DB" in slot "NSS > > User Private > > > Key and Certificate Services" > > > Enter Password or Pin for "NSS Certificate DB": > > > < 0> rsa > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > Certificate > > > DB:Server-Cert > > > (note the key nickname for the next command) > > > > > > - create a new certificate request that will re-use the > > existing key > > > (replace DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> <http://DOMAIN.COM> > > with your IPA domain, in > > > uppercase): > > > # certutil -R -d $NSSDB -k "NSS Certificate > DB:Server-Cert" -s > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr > > > Enter Password or Pin for "NSS Certificate DB": > > > > > > - request a certificate using the new certificate request > > > # kinit admin > > > # ipa cert-request --principal=HTTP/`hostname` > /tmp/web.csr > > > (the output will display a Serial Number that needs to be > > noted for the > > > next command) > > > > > > - remove the previous cert from the NSS
database:
> > > # certutil -D -d $NSSDB -n Server-Cert > > > > > > - export the certificate to a file, then import
the
> > certificate in the > > > NSS database: > > > # ipa cert-show $SERIAL_NUMBER --out=/tmp/server.crt > > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u
-i
> > /tmp/server.crt > > > > > > HTH, > > > flo > > > > > > [1] > > > > > >
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmon...
> > > [2] > https://www.freeipa.org/page/PKI#Manual_certificate_requests > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > Thanks & Regards, > > > > Azeem > > > > > > > > > > > >
> > > > FreeIPA-users mailing list -- > > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > To unsubscribe send an email to > > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > Fedora Code of Conduct: > > https://getfedora.org/code-of-conduct.html > > > > List Guidelines: > > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives: > > > > > >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > > > > > > >
Azim Siddiqui via FreeIPA-users wrote:
Hi Florence,
I want to extract the private key and certificate to a PEM file. I am talking about the nssdb which is located in /etc/pki path.
Content of nssdb :- certutil -L -d /etc/pki/nssdb/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
IPA.CLEAR-MARKETS.COM http://IPA.CLEAR-MARKETS.COM IPA CA CT,C,C
Is this the correct directory to extract the private key and certificate? Will it work if I extract the private key from nssdb and renew the certificate?
The threading for this is a bit off so I can't follow the reasoning for this.
There is no private key in that directory, only the CA public certificate. If you need that in PEM it is likely already on the machine in /etc/ipa/ca.crt.
What is your ultimate goal here?
rob
Thanks & Regards, Azeem
On Thu, 21 Mar 2019 at 05:00, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 3/19/19 7:07 PM, Azim Siddiqui wrote: > Hi, > > I was wondering is there any way, I can extract the private key and > certificate from nssdb directory? Bcoz the one key i have is not > matching to the certifficate. > Hi I am insisting, but please keep freeipa-users in copy. What do you mean by "extract"? Do you want to remove the key from the nssdb? or transform it into another format? To remove a private key from a nssdb, use the certutil command with -F option. You can find the full format in the man page certutil(1). If you want to create a PKCS12 file containing the private key and certificate: pk12util -o keys.p12 -n $alias -d $NSSDB If you want a PEM file containing the private key: pk12util -o keys.p12 -n $alias -d $NSSDB openssl pkcs12 -in keys.p12 -out cert.key -nodes If you want a PEM file containing the cert: certutil -L -d $NSSDB -n $alias -a -o cert.pem But first of all, which NSSDB directory are you working with? A NSSDB can contain multiple keys and certificates, and also certificates without matching private keys. Can you show the content of your NSSDB? certutil -L -d $NSSDB certutil -K -d $NSSDB flo > Thanks, > Azeem > > On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > On 3/19/19 4:18 PM, Azim Siddiqui wrote: > > Hi Florence, > > > > Thanks for the info. I will check for the ipa cert-find command > and will > > send you the output. Actually, when I am trying to do $ kinit > admin it > > is asking for a password. And I am not sure about the password, as I > > said it was set by the previous system admin. > > > Hi > (re-adding freeipa-users in cc) > > if you do kinit -kt /etc/krb5.keytab you should also have enough > permissions to perform ipa cert-find. > > > And also I can see there is nssdb directory on the server. Do you > by any > > chance know, what is that for? > There are many nssdb directories on a FreeIPA system. For instance > /etc/ipa/nssdb is the NSS database used by the ipa * commands. It > contains the certificates of the trusted certificate authorities. You > can find more information re. NSS databases in the man page for > certutil(1). > > > > > If I have the private key on the server, how can I renew the > certificate > > signed by IPA. can you please provide me the steps. > If you have the private key in $NSSDB database you just need to follow > the steps provided in my first email > (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/). > > flo > > > > thanks & Regards, > > Azeem > > > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote: > > > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > > Hi Florence, > > > > > > Thanks for your reply. > > > I am referring to the applications. For example, we have > > > Apache,haproxy,jenkins,git which uses certs signed by IPA. And > > now when > > > I am browsing these applications urls. It is showing, this > site > > is not > > > secured. > > > And originally, This cert were created by a system admin, > who is not > > > working with us now. So its getting hard for me to figure out, > > how can I > > > create or renew the certs. > > > > > > And I don't see any files ssl.conf or nss.conf in the server. > > > The output for getcert list command shows this :- > > > getcert list > > > Number of certificates and requests being tracked: 0. > > > > > > > > > I just want to create a crt and key file signed by IPA. So > that I > > can > > > use it for the browsers. > > Hi, > > > > please keep the users mailing list in cc, so that everyone > can get > > involved/see the resolution. > > > > It is difficult to provide advice with so few information. > Can you > > start > > by checking which certificates were already issued by > FreeIPA, and > > we'll > > see if they are expired? > > > > $ kinit admin > > $ ipa cert-find > > > > With the full output and based on the subject you'll be able to > > identify > > the host or service certs that you are using for your > applications. For > > each of these certs, run > > $ kinit admin > > $ ipa cert-show <serial number> > > and the output will show if the cert is expired (check the > Not After > > field). > > > > For an expired cert, you will be able to renew the cert if > you still > > have the private key. The private key location can be found > by checking > > the configuration of your applications. > > For instance apache on rhel or fedora stores its config in > > /etc/httpd/conf/httpd.conf, which by default loads the modules in > > conf.modules.d/*.conf and the config files in conf.d/*.conf. > > > > flo > > > > > > Thanks, > > > Azeem > > > > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote: > > > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote: > > > > Hi Florence, > > > > > > > > Hope you are doing good. I tried the way you said. But > > still, it is > > > > showing certificate is expired. > > > > > > > > Let me be more clear about it. > > > > > > > > We have apache running with an expired certificate > which is > > > signed by > > > > FreeIPA. Now I want to renew or create a new > certificate. > > So can you > > > > please tell me how can I renew or create a new > certificate > > signed by > > > > Freeipa. > > > > As whenever I am going to the Apache URL from the > browser, > > it is > > > showing > > > > site is not secured. > > > > > > > > Thanks & Regards, > > > > Azeem > > > > > > > Hi, > > > > > > (re-adding freeipa-users in CC). > > > Can you first confirm that you are referring to a cert for > > the apache > > > server *not running on one of the FreeIPA masters*? > > > > > > Then please explain how you originally obtained the > > certificate. Also > > > include the following information: > > > - relevant apache configuration (if using mod_ssl, then > > > /etc/httpd/conf.d/ssl.conf or if using mod_nss, > > > /etc/httpd/conf.d/nss.conf). > > > - output of getcert list on the host running apache > > > > > > flo > > > > > > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud > > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> > > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>> wrote: > > > > > > > > On 12/13/18 4:04 PM, Azim Siddiqui via > FreeIPA-users > > wrote: > > > > > Hello, > > > > > > > > > > Hope you are doing good. I have a question > regarding > > > freeIPA host > > > > > certificates. > > > > > We are using FreeIPA as our LDAP. We have some > > > certificates for > > > > hosts ex > > > > > :- http/uat.com <http://uat.com> <http://uat.com> > <http://uat.com> <http://uat.com> > > <http://uat.com> > > > <http://uat.com>. > > > > > And we deploying the certs in Haproxy in PEM > format. > > > > > But the certificates for this host has been > expired. > > > > > Can you please let me know in detail how to > renew > > my expired > > > > > certificates for the hosts. Please provide > me the > > commands > > > and steps. > > > > > > > > > Hi, > > > > > > > > from your description I understand that you are > > referring to > > > > certificates delivered by IPA CA for one of the > > IPA-enrolled > > > hosts, but > > > > not the master's Server-Cert used for IPA Web GUI. > > > > > > > > In this case, how did you obtain the > certificate? If > > you used > > > a method > > > > similar to what is described in this wiki [1], the > > certificate > > > > should be > > > > monitored by certmonger and automatically renewed. > > > > > > > > If you followed instead this wiki [2], the > certificate > > is not > > > > tracked by > > > > certmonger and needs to be manually renewed. > You need > > to do the > > > > following, assuming that the cert is in a NSS > database > > $NSSDB > > > on the > > > > IPA > > > > client: > > > > - find the key nickname > > > > # certutil -K -d $NSSDB > > > > certutil: Checking token "NSS Certificate DB" > in slot "NSS > > > User Private > > > > Key and Certificate Services" > > > > Enter Password or Pin for "NSS Certificate DB": > > > > < 0> rsa > > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > > Certificate > > > > DB:Server-Cert > > > > (note the key nickname for the next command) > > > > > > > > - create a new certificate request that will > re-use the > > > existing key > > > > (replace DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > with your IPA domain, in > > > > uppercase): > > > > # certutil -R -d $NSSDB -k "NSS Certificate > > DB:Server-Cert" -s > > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr > > > > Enter Password or Pin for "NSS Certificate DB": > > > > > > > > - request a certificate using the new > certificate request > > > > # kinit admin > > > > # ipa cert-request --principal=HTTP/`hostname` > > /tmp/web.csr > > > > (the output will display a Serial Number that > needs to be > > > noted for the > > > > next command) > > > > > > > > - remove the previous cert from the NSS database: > > > > # certutil -D -d $NSSDB -n Server-Cert > > > > > > > > - export the certificate to a file, then import the > > > certificate in the > > > > NSS database: > > > > # ipa cert-show $SERIAL_NUMBER > --out=/tmp/server.crt > > > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i > > > /tmp/server.crt > > > > > > > > HTH, > > > > flo > > > > > > > > [1] > > > > > > > > > > https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger > > > > [2] > > https://www.freeipa.org/page/PKI#Manual_certificate_requests > > > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > > > Thanks & Regards, > > > > > Azeem > > > > > > > > > > > > > > > _______________________________________________ > > > > > FreeIPA-users mailing list -- > > > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>>> > > > > > To unsubscribe send an email to > > > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>> > > > > > Fedora Code of Conduct: > > > https://getfedora.org/code-of-conduct.html > > > > > List Guidelines: > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > > > > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > > > > >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Rob,
Thank you for your email.
So here's the thing, We have a total of five servers in our environment. FreeIPA is installed on one of the servers. And the other servers have Tomcat, Jenkins, Git and Haprxy running on the servers. So when i am trying to access URL's for this application, for example- Git or Jenkins, It is showing Site is not secured. So basically the certificate has been expired. And also I can see the certificates are from IPA.
So now I am looking for a way to renew or create new certs for my current expired certs, which are from IPA. So that my URLs will be secured. It's been more than a month, But I am not finding a correct process for this.
P.s :- The currently expired certs were created by a System admin, who is not working for us now.
Thanks & Regards, Azeem
On Fri, 22 Mar 2019 at 08:50, Rob Crittenden rcritten@redhat.com wrote:
Azim Siddiqui via FreeIPA-users wrote:
Hi Florence,
I want to extract the private key and certificate to a PEM file. I am talking about the nssdb which is located in /etc/pki path.
Content of nssdb :- certutil -L -d /etc/pki/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IPA.CLEAR-MARKETS.COM http://IPA.CLEAR-MARKETS.COM IPA CA CT,C,C
Is this the correct directory to extract the private key and certificate? Will it work if I extract the private key from nssdb and renew the certificate?
The threading for this is a bit off so I can't follow the reasoning for this.
There is no private key in that directory, only the CA public certificate. If you need that in PEM it is likely already on the machine in /etc/ipa/ca.crt.
What is your ultimate goal here?
rob
Thanks & Regards, Azeem
On Thu, 21 Mar 2019 at 05:00, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 3/19/19 7:07 PM, Azim Siddiqui wrote: > Hi, > > I was wondering is there any way, I can extract the private key and > certificate from nssdb directory? Bcoz the one key i have is not > matching to the certifficate. > Hi I am insisting, but please keep freeipa-users in copy. What do you mean by "extract"? Do you want to remove the key from the nssdb? or transform it into another format? To remove a private key from a nssdb, use the certutil command with
-F
option. You can find the full format in the man page certutil(1). If you want to create a PKCS12 file containing the private key and certificate: pk12util -o keys.p12 -n $alias -d $NSSDB If you want a PEM file containing the private key: pk12util -o keys.p12 -n $alias -d $NSSDB openssl pkcs12 -in keys.p12 -out cert.key -nodes If you want a PEM file containing the cert: certutil -L -d $NSSDB -n $alias -a -o cert.pem But first of all, which NSSDB directory are you working with? A NSSDB can contain multiple keys and certificates, and also certificates without matching private keys. Can you show the content of your
NSSDB?
certutil -L -d $NSSDB certutil -K -d $NSSDB flo > Thanks, > Azeem > > On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > On 3/19/19 4:18 PM, Azim Siddiqui wrote: > > Hi Florence, > > > > Thanks for the info. I will check for the ipa cert-find
command
> and will > > send you the output. Actually, when I am trying to do $
kinit
> admin it > > is asking for a password. And I am not sure about the password, as I > > said it was set by the previous system admin. > > > Hi > (re-adding freeipa-users in cc) > > if you do kinit -kt /etc/krb5.keytab you should also have
enough
> permissions to perform ipa cert-find. > > > And also I can see there is nssdb directory on the server. Do you > by any > > chance know, what is that for? > There are many nssdb directories on a FreeIPA system. For
instance
> /etc/ipa/nssdb is the NSS database used by the ipa * commands.
It
> contains the certificates of the trusted certificate authorities. You > can find more information re. NSS databases in the man page for > certutil(1). > > > > > If I have the private key on the server, how can I renew the > certificate > > signed by IPA. can you please provide me the steps. > If you have the private key in $NSSDB database you just need to follow > the steps provided in my first email > (
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... ).
> > flo > > > > thanks & Regards, > > Azeem > > > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote: > > > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > > Hi Florence, > > > > > > Thanks for your reply. > > > I am referring to the applications. For example, we
have
> > > Apache,haproxy,jenkins,git which uses certs signed by IPA. And > > now when > > > I am browsing these applications urls. It is showing, this > site > > is not > > > secured. > > > And originally, This cert were created by a system admin, > who is not > > > working with us now. So its getting hard for me to figure out, > > how can I > > > create or renew the certs. > > > > > > And I don't see any files ssl.conf or nss.conf in the server. > > > The output for getcert list command shows this :- > > > getcert list > > > Number of certificates and requests being tracked: 0. > > > > > > > > > I just want to create a crt and key file signed by IPA. So > that I > > can > > > use it for the browsers. > > Hi, > > > > please keep the users mailing list in cc, so that
everyone
> can get > > involved/see the resolution. > > > > It is difficult to provide advice with so few
information.
> Can you > > start > > by checking which certificates were already issued by > FreeIPA, and > > we'll > > see if they are expired? > > > > $ kinit admin > > $ ipa cert-find > > > > With the full output and based on the subject you'll be able to > > identify > > the host or service certs that you are using for your > applications. For > > each of these certs, run > > $ kinit admin > > $ ipa cert-show <serial number> > > and the output will show if the cert is expired (check
the
> Not After > > field). > > > > For an expired cert, you will be able to renew the cert
if
> you still > > have the private key. The private key location can be
found
> by checking > > the configuration of your applications. > > For instance apache on rhel or fedora stores its config
in
> > /etc/httpd/conf/httpd.conf, which by default loads the modules in > > conf.modules.d/*.conf and the config files in conf.d/*.conf. > > > > flo > > > > > > Thanks, > > > Azeem > > > > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote: > > > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote: > > > > Hi Florence, > > > > > > > > Hope you are doing good. I tried the way you said. But > > still, it is > > > > showing certificate is expired. > > > > > > > > Let me be more clear about it. > > > > > > > > We have apache running with an expired certificate > which is > > > signed by > > > > FreeIPA. Now I want to renew or create a new > certificate. > > So can you > > > > please tell me how can I renew or create a new > certificate > > signed by > > > > Freeipa. > > > > As whenever I am going to the Apache URL from
the
> browser, > > it is > > > showing > > > > site is not secured. > > > > > > > > Thanks & Regards, > > > > Azeem > > > > > > > Hi, > > > > > > (re-adding freeipa-users in CC). > > > Can you first confirm that you are referring to a cert for > > the apache > > > server *not running on one of the FreeIPA
masters*?
> > > > > > Then please explain how you originally obtained
the
> > certificate. Also > > > include the following information: > > > - relevant apache configuration (if using mod_ssl, then > > > /etc/httpd/conf.d/ssl.conf or if using mod_nss, > > > /etc/httpd/conf.d/nss.conf). > > > - output of getcert list on the host running
apache
> > > > > > flo > > > > > > > On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud > > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> > > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:
flo@redhat.com>>
> <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>> wrote: > > > > > > > > On 12/13/18 4:04 PM, Azim Siddiqui via > FreeIPA-users > > wrote: > > > > > Hello, > > > > > > > > > > Hope you are doing good. I have a
question
> regarding > > > freeIPA host > > > > > certificates. > > > > > We are using FreeIPA as our LDAP. We have some > > > certificates for > > > > hosts ex > > > > > :- http/uat.com <http://uat.com> <http://uat.com> > <http://uat.com> <http://uat.com> > > <http://uat.com> > > > <http://uat.com>. > > > > > And we deploying the certs in Haproxy in PEM > format. > > > > > But the certificates for this host has been > expired. > > > > > Can you please let me know in detail how to > renew > > my expired > > > > > certificates for the hosts. Please
provide
> me the > > commands > > > and steps. > > > > > > > > > Hi, > > > > > > > > from your description I understand that you are > > referring to > > > > certificates delivered by IPA CA for one of the > > IPA-enrolled > > > hosts, but > > > > not the master's Server-Cert used for IPA Web GUI. > > > > > > > > In this case, how did you obtain the > certificate? If > > you used > > > a method > > > > similar to what is described in this wiki [1], the > > certificate > > > > should be > > > > monitored by certmonger and automatically renewed. > > > > > > > > If you followed instead this wiki [2], the > certificate > > is not > > > > tracked by > > > > certmonger and needs to be manually
renewed.
> You need > > to do the > > > > following, assuming that the cert is in a
NSS
> database > > $NSSDB > > > on the > > > > IPA > > > > client: > > > > - find the key nickname > > > > # certutil -K -d $NSSDB > > > > certutil: Checking token "NSS Certificate
DB"
> in slot "NSS > > > User Private > > > > Key and Certificate Services" > > > > Enter Password or Pin for "NSS Certificate DB": > > > > < 0> rsa > > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > > Certificate > > > > DB:Server-Cert > > > > (note the key nickname for the next
command)
> > > > > > > > - create a new certificate request that
will
> re-use the > > > existing key > > > > (replace DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > with your IPA domain, in > > > > uppercase): > > > > # certutil -R -d $NSSDB -k "NSS
Certificate
> > DB:Server-Cert" -s > > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr > > > > Enter Password or Pin for "NSS Certificate DB": > > > > > > > > - request a certificate using the new > certificate request > > > > # kinit admin > > > > # ipa cert-request --principal=HTTP/`hostname` > > /tmp/web.csr > > > > (the output will display a Serial Number
that
> needs to be > > > noted for the > > > > next command) > > > > > > > > - remove the previous cert from the NSS database: > > > > # certutil -D -d $NSSDB -n Server-Cert > > > > > > > > - export the certificate to a file, then import the > > > certificate in the > > > > NSS database: > > > > # ipa cert-show $SERIAL_NUMBER > --out=/tmp/server.crt > > > > # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i > > > /tmp/server.crt > > > > > > > > HTH, > > > > flo > > > > > > > > [1] > > > > > > > > > >
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmon...
> > > > [2] > >
https://www.freeipa.org/page/PKI#Manual_certificate_requests
> > > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > > > Thanks & Regards, > > > > > Azeem > > > > > > > > > > > > > > > _______________________________________________ > > > > > FreeIPA-users mailing list -- > > > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>>> > > > > > To unsubscribe send an email to > > > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>> > > > > > Fedora Code of Conduct: > > > https://getfedora.org/code-of-conduct.html > > > > > List Guidelines: > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > > > > > > > > > >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > > > > > > > > > > > >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Azim Siddiqui via FreeIPA-users wrote:
Hi Rob,
Thank you for your email.
So here's the thing, We have a total of five servers in our environment. FreeIPA is installed on one of the servers. And the other servers have Tomcat, Jenkins, Git and Haprxy running on the servers. So when i am trying to access URL's for this application, for example- Git or Jenkins, It is showing Site is not secured. So basically the certificate has been expired. And also I can see the certificates are from IPA.
So now I am looking for a way to renew or create new certs for my current expired certs, which are from IPA. So that my URLs will be secured. It's been more than a month, But I am not finding a correct process for this.
P.s :- The currently expired certs were created by a System admin, who is not working for us now.
Ok so /etc/pki/nssdb is not what you want.
Look to see how those services are configured to find where their certificate(s) are on the filesystem.
Run getcert list as root to see if the certs were originally requested using certmonger (I'm guessing not since you say they are expired).
Once you find the cert files you might also find the original CSR. If not you can pretty easily generate a new one using the private key you find. Submit that to IPA using ipa cert_request and that should resolve things for you.
rob
Thanks & Regards, Azeem
On Fri, 22 Mar 2019 at 08:50, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Azim Siddiqui via FreeIPA-users wrote: > Hi Florence, > > I want to extract the private key and certificate to a PEM file. > I am talking about the nssdb which is located in /etc/pki path. > > Content of nssdb :- > certutil -L -d /etc/pki/nssdb/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > IPA.CLEAR-MARKETS.COM <http://IPA.CLEAR-MARKETS.COM> <http://IPA.CLEAR-MARKETS.COM> IPA CA > CT,C,C > > > Is this the correct directory to extract the private key and > certificate? Will it work if I extract the private key from nssdb and > renew the certificate? The threading for this is a bit off so I can't follow the reasoning for this. There is no private key in that directory, only the CA public certificate. If you need that in PEM it is likely already on the machine in /etc/ipa/ca.crt. What is your ultimate goal here? rob > > Thanks & Regards, > Azeem > > > On Thu, 21 Mar 2019 at 05:00, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > > On 3/19/19 7:07 PM, Azim Siddiqui wrote: > > Hi, > > > > I was wondering is there any way, I can extract the private key and > > certificate from nssdb directory? Bcoz the one key i have is not > > matching to the certifficate. > > > Hi > I am insisting, but please keep freeipa-users in copy. > > What do you mean by "extract"? Do you want to remove the key from the > nssdb? or transform it into another format? > To remove a private key from a nssdb, use the certutil command with -F > option. You can find the full format in the man page certutil(1). > > If you want to create a PKCS12 file containing the private key and > certificate: > pk12util -o keys.p12 -n $alias -d $NSSDB > > If you want a PEM file containing the private key: > pk12util -o keys.p12 -n $alias -d $NSSDB > openssl pkcs12 -in keys.p12 -out cert.key -nodes > > If you want a PEM file containing the cert: > certutil -L -d $NSSDB -n $alias -a -o cert.pem > > But first of all, which NSSDB directory are you working with? A NSSDB > can contain multiple keys and certificates, and also certificates > without matching private keys. Can you show the content of your NSSDB? > certutil -L -d $NSSDB > certutil -K -d $NSSDB > > flo > > Thanks, > > Azeem > > > > On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote: > > > > On 3/19/19 4:18 PM, Azim Siddiqui wrote: > > > Hi Florence, > > > > > > Thanks for the info. I will check for the ipa cert-find command > > and will > > > send you the output. Actually, when I am trying to do $ kinit > > admin it > > > is asking for a password. And I am not sure about the > password, as I > > > said it was set by the previous system admin. > > > > > Hi > > (re-adding freeipa-users in cc) > > > > if you do kinit -kt /etc/krb5.keytab you should also have enough > > permissions to perform ipa cert-find. > > > > > And also I can see there is nssdb directory on the server. > Do you > > by any > > > chance know, what is that for? > > There are many nssdb directories on a FreeIPA system. For instance > > /etc/ipa/nssdb is the NSS database used by the ipa * commands. It > > contains the certificates of the trusted certificate > authorities. You > > can find more information re. NSS databases in the man page for > > certutil(1). > > > > > > > > If I have the private key on the server, how can I renew the > > certificate > > > signed by IPA. can you please provide me the steps. > > If you have the private key in $NSSDB database you just need > to follow > > the steps provided in my first email > > > (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RHHOGPIOFGKFXDZM5OE3DY3RCC7TVCSM/). > > > > flo > > > > > > thanks & Regards, > > > Azeem > > > > > > On Tue, 19 Mar 2019 at 04:57, Florence Blanc-Renaud > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> <mailto:flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote: > > > > > > On 3/18/19 7:50 PM, Azim Siddiqui wrote: > > > > Hi Florence, > > > > > > > > Thanks for your reply. > > > > I am referring to the applications. For example, we have > > > > Apache,haproxy,jenkins,git which uses certs signed > by IPA. And > > > now when > > > > I am browsing these applications urls. It is > showing, this > > site > > > is not > > > > secured. > > > > And originally, This cert were created by a system > admin, > > who is not > > > > working with us now. So its getting hard for me to > figure out, > > > how can I > > > > create or renew the certs. > > > > > > > > And I don't see any files ssl.conf or nss.conf in > the server. > > > > The output for getcert list command shows this :- > > > > getcert list > > > > Number of certificates and requests being tracked: 0. > > > > > > > > > > > > I just want to create a crt and key file signed by > IPA. So > > that I > > > can > > > > use it for the browsers. > > > Hi, > > > > > > please keep the users mailing list in cc, so that everyone > > can get > > > involved/see the resolution. > > > > > > It is difficult to provide advice with so few information. > > Can you > > > start > > > by checking which certificates were already issued by > > FreeIPA, and > > > we'll > > > see if they are expired? > > > > > > $ kinit admin > > > $ ipa cert-find > > > > > > With the full output and based on the subject you'll be > able to > > > identify > > > the host or service certs that you are using for your > > applications. For > > > each of these certs, run > > > $ kinit admin > > > $ ipa cert-show <serial number> > > > and the output will show if the cert is expired (check the > > Not After > > > field). > > > > > > For an expired cert, you will be able to renew the cert if > > you still > > > have the private key. The private key location can be found > > by checking > > > the configuration of your applications. > > > For instance apache on rhel or fedora stores its config in > > > /etc/httpd/conf/httpd.conf, which by default loads the > modules in > > > conf.modules.d/*.conf and the config files in > conf.d/*.conf. > > > > > > flo > > > > > > > > Thanks, > > > > Azeem > > > > > > > > > > > > On Mon, 18 Mar 2019 at 05:30, Florence Blanc-Renaud > > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> > > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>> wrote: > > > > > > > > On 3/15/19 8:16 PM, Azim Siddiqui wrote: > > > > > Hi Florence, > > > > > > > > > > Hope you are doing good. I tried the way you > said. But > > > still, it is > > > > > showing certificate is expired. > > > > > > > > > > Let me be more clear about it. > > > > > > > > > > We have apache running with an expired > certificate > > which is > > > > signed by > > > > > FreeIPA. Now I want to renew or create a new > > certificate. > > > So can you > > > > > please tell me how can I renew or create a new > > certificate > > > signed by > > > > > Freeipa. > > > > > As whenever I am going to the Apache URL from the > > browser, > > > it is > > > > showing > > > > > site is not secured. > > > > > > > > > > Thanks & Regards, > > > > > Azeem > > > > > > > > > Hi, > > > > > > > > (re-adding freeipa-users in CC). > > > > Can you first confirm that you are referring to > a cert for > > > the apache > > > > server *not running on one of the FreeIPA masters*? > > > > > > > > Then please explain how you originally obtained the > > > certificate. Also > > > > include the following information: > > > > - relevant apache configuration (if using > mod_ssl, then > > > > /etc/httpd/conf.d/ssl.conf or if using mod_nss, > > > > /etc/httpd/conf.d/nss.conf). > > > > - output of getcert list on the host running apache > > > > > > > > flo > > > > > > > > > On Wed, 19 Dec 2018 at 14:04, Florence > Blanc-Renaud > > > > <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> > > > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>> <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> > > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>> > <mailto:flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>>> wrote: > > > > > > > > > > On 12/13/18 4:04 PM, Azim Siddiqui via > > FreeIPA-users > > > wrote: > > > > > > Hello, > > > > > > > > > > > > Hope you are doing good. I have a question > > regarding > > > > freeIPA host > > > > > > certificates. > > > > > > We are using FreeIPA as our LDAP. We > have some > > > > certificates for > > > > > hosts ex > > > > > > :- http/uat.com <http://uat.com> <http://uat.com> > <http://uat.com> > > <http://uat.com> <http://uat.com> > > > <http://uat.com> > > > > <http://uat.com>. > > > > > > And we deploying the certs in Haproxy > in PEM > > format. > > > > > > But the certificates for this host has > been > > expired. > > > > > > Can you please let me know in detail > how to > > renew > > > my expired > > > > > > certificates for the hosts. Please provide > > me the > > > commands > > > > and steps. > > > > > > > > > > > Hi, > > > > > > > > > > from your description I understand that > you are > > > referring to > > > > > certificates delivered by IPA CA for one > of the > > > IPA-enrolled > > > > hosts, but > > > > > not the master's Server-Cert used for IPA > Web GUI. > > > > > > > > > > In this case, how did you obtain the > > certificate? If > > > you used > > > > a method > > > > > similar to what is described in this wiki > [1], the > > > certificate > > > > > should be > > > > > monitored by certmonger and automatically > renewed. > > > > > > > > > > If you followed instead this wiki [2], the > > certificate > > > is not > > > > > tracked by > > > > > certmonger and needs to be manually renewed. > > You need > > > to do the > > > > > following, assuming that the cert is in a NSS > > database > > > $NSSDB > > > > on the > > > > > IPA > > > > > client: > > > > > - find the key nickname > > > > > # certutil -K -d $NSSDB > > > > > certutil: Checking token "NSS Certificate DB" > > in slot "NSS > > > > User Private > > > > > Key and Certificate Services" > > > > > Enter Password or Pin for "NSS > Certificate DB": > > > > > < 0> rsa > > > 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS > > > > > Certificate > > > > > DB:Server-Cert > > > > > (note the key nickname for the next command) > > > > > > > > > > - create a new certificate request that will > > re-use the > > > > existing key > > > > > (replace DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM> > <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM> <http://DOMAIN.COM> > > > > with your IPA domain, in > > > > > uppercase): > > > > > # certutil -R -d $NSSDB -k "NSS Certificate > > > DB:Server-Cert" -s > > > > > cn=`hostname,O=DOMAIN.COM <http://DOMAIN.COM> > <http://DOMAIN.COM> <http://DOMAIN.COM> > > <http://DOMAIN.COM> > > > <http://DOMAIN.COM> > > > > <http://DOMAIN.COM>" -a -o /tmp/cert.csr > > > > > Enter Password or Pin for "NSS > Certificate DB": > > > > > > > > > > - request a certificate using the new > > certificate request > > > > > # kinit admin > > > > > # ipa cert-request > --principal=HTTP/`hostname` > > > /tmp/web.csr > > > > > (the output will display a Serial Number that > > needs to be > > > > noted for the > > > > > next command) > > > > > > > > > > - remove the previous cert from the NSS > database: > > > > > # certutil -D -d $NSSDB -n Server-Cert > > > > > > > > > > - export the certificate to a file, then > import the > > > > certificate in the > > > > > NSS database: > > > > > # ipa cert-show $SERIAL_NUMBER > > --out=/tmp/server.crt > > > > > # certutil -A -d $NSSDB -n Server-Cert -t > u,u,u -i > > > > /tmp/server.crt > > > > > > > > > > HTH, > > > > > flo > > > > > > > > > > [1] > > > > > > > > > > > > > > > https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger > > > > > [2] > > > https://www.freeipa.org/page/PKI#Manual_certificate_requests > > > > > > > > > > > FreeIPA, version: 4.2.0 > > > > > > > > > > > > Thanks & Regards, > > > > > > Azeem > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > FreeIPA-users mailing list -- > > > > > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>>> > > > > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>> > > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> > > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>>>>> > > > > > > To unsubscribe send an email to > > > > > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>> > > > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>> > > > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>> > > > > > > Fedora Code of Conduct: > > > > https://getfedora.org/code-of-conduct.html > > > > > > List Guidelines: > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > List Archives: > > > > > > > > > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org