Hello!
I'm setting up a RabbitMQ server on our internal network, and I
thought now would be a good time to figure out how to use FreeIPA
to issue certs for services to enable TLS. (Only internal systems
with the IPA cert will access the system.) However, I'm running
into a couple of problems.
I'm following the FreeIPA PKI Docs [1] on how to setup an
automated cert request with Certmonger which will put cert renewal
on autopilot, hopefully, and I'm getting stuck on step #6 of the
instructions where I'm supposed to import the IPA `ca.crt` into
the nssdb which was created for RabbitMQ.
Command and results of step #6:
```
[me@rabbitserver.sub.domain.tld]# certutil -A -d
/etc/rabbitmq/nssdb -n 'SUB.DOMAIN.TLD IPA CA' -t CT,, -a <
/etc/ipa/ca.crt
Enter Password or Pin for "NSS Certificate DB":
```
I don't know what password or pin it would like.
I read something which suggested
`/etc/dirsrv/slapd-DOMAIN-TLD/pin.txt` on the IPA server contained
the magic words which would unlock the database, so I copied the
token which is not what certutil wants to unlock `/etc/ipa/nssdb`.
Example contents of `/etc/ipa/nssdb/pin.txt` on IPA server:
```
Internal (Software) Token:<thispartiswhaticopied>
```
Here are the problems:
IPA Server:
Rabbit Server:
Ryan
1: https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger