hello fallas
those certs I see with: $ ipa cert-find is it possible to get private key(s) for a given cert? With means of (any)command line?
many thanks. L.
lejeczek via FreeIPA-users wrote:
hello fallas
those certs I see with: $ ipa cert-find is it possible to get private key(s) for a given cert? With means of (any)command line?
Not from the CA, no.
The CA doesn't store the private keys for the certificates it issues and never sees them at all.
You need access to the filesystem containing the private keys to be able to retrieve/extract them.
rob
On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote:
lejeczek via FreeIPA-users wrote:
hello fallas
those certs I see with: $ ipa cert-find is it possible to get private key(s) for a given cert? With means of (any)command line?
Not from the CA, no.
The CA doesn't store the private keys for the certificates it issues and never sees them at all.
You need access to the filesystem containing the private keys to be able to retrieve/extract them.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
so these are replicas/host certs created during replica/host add that I'm looking at - where IPA stores those private keys? Would there be any howto on how to get cert+keys pair in standard pem out of IPA to use outside of IPA?
many thanks L.
lejeczek via FreeIPA-users wrote:
On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote:
lejeczek via FreeIPA-users wrote:
hello fallas
those certs I see with: $ ipa cert-find is it possible to get private key(s) for a given cert? With means of (any)command line?
Not from the CA, no.
The CA doesn't store the private keys for the certificates it issues and never sees them at all.
You need access to the filesystem containing the private keys to be able to retrieve/extract them.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
so these are replicas/host certs created during replica/host add that I'm looking at - where IPA stores those private keys? Would there be any howto on how to get cert+keys pair in standard pem out of IPA to use outside of IPA?
Depends on what you mean by outside of IPA.
It is a rather terrible idea to share keys between services security-wise, especially given how easy it is to get a cert from IPA.
That said, it isn't a secret where they are stored. The web cert/key is in /etc/httpd/alias and the ldap cert/key is in /etc/dirsrv/slapd-REALM
You can use pk12util to export the cert and key as a PKCS#12 file and then openssl pkcs12 to extract the key from that.
rob
freeipa-users@lists.fedorahosted.org
-
lejeczek -
Rob Crittenden