Hello,
I have a FreeIPA server and about 7 nodes, each node has a certificate and a key.
I got those host certificates with: ipa-getcert request -v -f /etc/security/certificates/host.crt -k /etc/security/certificates/host.key
I can see the CA certificate it's located at /etc/ipa/ca.crt. Where is the CAKey file?. I need to create a Keystore for the host.
Thanks
-- Hernán Fernández
Hernán Fernández via FreeIPA-users wrote:
Hello,
I have a FreeIPA server and about 7 nodes, each node has a certificate and a key.
I got those host certificates with: ipa-getcert request -v -f /etc/security/certificates/host.crt -k /etc/security/certificates/host.key
I can see the CA certificate it's located at /etc/ipa/ca.crt. Where is the CAKey file?. I need to create a Keystore for the host.
You should never need the CA private key.
Maybe it's a matter of terminology. What kind of keystore are you trying to create? Are you working from some documentation?
rob
You were right, The file CA key was not necessary I just concatenated the host and CA public key and used the host private key to generate the Keystore correctly.
I did the question due some documents mentioning commands like this one where a the ca-key file is required.
1. 1. Sign the certificate with the CA: openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days <validity> -CAcreateserial -passin pass:<ca-password>.
thanks -- Hernán Fernández +56994752172
On Sat, Nov 23, 2019 at 4:32 PM Rob Crittenden rcritten@redhat.com wrote:
Hernán Fernández via FreeIPA-users wrote:
Hello,
I have a FreeIPA server and about 7 nodes, each node has a certificate and a key.
I got those host certificates with: ipa-getcert request -v -f /etc/security/certificates/host.crt -k /etc/security/certificates/host.key
I can see the CA certificate it's located at /etc/ipa/ca.crt. Where is the CAKey file?. I need to create a Keystore for the host.
You should never need the CA private key.
Maybe it's a matter of terminology. What kind of keystore are you trying to create? Are you working from some documentation?
rob
freeipa-users@lists.fedorahosted.org