Using certutil, I'm able to extract my localhost CA using this command.
certutils -L -d dbm:/etc/ipa/nssdb -a -n 'Local IPA host'
However, I need a signing key to create a private key. Is there a method to extract a private key that signed my localhost CA from the endpoint, or does this key exist on my server?
Thank you.
Sam Klein via FreeIPA-users wrote:
Using certutil, I'm able to extract my localhost CA using this command.
certutils -L -d dbm:/etc/ipa/nssdb -a -n 'Local IPA host'
However, I need a signing key to create a private key. Is there a method to extract a private key that signed my localhost CA from the endpoint, or does this key exist on my server?
Need more context on what you're trying to do. You shouldn't need direct access to the CA private key.
rob
Sam Klein via FreeIPA-users wrote:
Hi Rob,
Need more context on what you're trying to do.
I hope to use a key to identify each endpoint for a Cisco Identity Services Engine.
To do so, I need a private key.
My hope was that IdM could automate this for me with a CA chain.
Does this context help?
So you need to generate certificate for the Cisco server.
You need to generate your own private key and a CSR from that and submit it to IPA to issue the certificate.
A certificate in IPA must be associated with an entry (host or service). So you'll need to create a host or service for the Cisco device and request the certificate against that host/service.
rob
freeipa-users@lists.fedorahosted.org