I am so sorry. I will keep in mind to keep the list on all replies.
Thank you for providing me with the steps to create the certificate. I will
try to implement these steps and will let you know.
Thanks & Regards,
Azeem
On Sun, 24 Mar 2019 at 12:02, Rob Crittenden <rcritten(a)redhat.com> wrote:
You've been asked multiple times to keep the list on all replies.
This
is so others can benefit or perhaps chime in with additional suggestions.
Azim Siddiqui wrote:
> Hi Rob,
>
> I tried running getcert command, but it's not listing anything. ( Do I
> need to run this command on IPA server or other Jenkins, Git server ? )
I'd try on all of them. Who knows what the previous admin did. It is no
big loss if you can't find one.
> And also I couldn't able to find the private key.
You need to look in the configuration for those individual services.
They have to refer to some key and cert in order for TLS to work at all.
> Can I generate a new private key ? If yes then, can you please tell me
> the commands to run?
You don't need to maintain the current private key even if you find it.
If you don't find certmonger tracking then assuming the machine(s) are
IPA clients you can use ipa-getcert to request and track the
certificate. This should do renewal as well.
I wrote up a generic how to get a cert for a web server a few months
ago,
https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-...
rob
>
> Thanks & Regards,
> Azeem
>
>
>
>
>
> On Fri, 22 Mar 2019 at 16:02, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Azim Siddiqui via FreeIPA-users wrote:
> > Hi Rob,
> >
> > Thank you for your email.
> >
> > So here's the thing, We have a total of five servers in our
> environment.
> > FreeIPA is installed on one of the servers. And the other servers
have
> > Tomcat, Jenkins, Git and Haprxy running on the servers. So when i
am
> > trying to access URL's for this application, for example- Git or
> > Jenkins, It is showing Site is not secured. So basically the
> certificate
> > has been expired. And also I can see the certificates are from
IPA.
> >
> > So now I am looking for a way to renew or create new certs for my
> > current expired certs, which are from IPA. So that my URLs will be
> secured.
> > It's been more than a month, But I am not finding a correct process
> > for this.
> >
> > P.s :- The currently expired certs were created by a System admin,
who
> > is not working for us now.
>
> Ok so /etc/pki/nssdb is not what you want.
>
> Look to see how those services are configured to find where their
> certificate(s) are on the filesystem.
>
> Run getcert list as root to see if the certs were originally
requested
> using certmonger (I'm guessing not since you say they are expired).
>
> Once you find the cert files you might also find the original CSR. If
> not you can pretty easily generate a new one using the private key
you
> find. Submit that to IPA using ipa cert_request and that should
resolve
> things for you.
>
> rob
>
> >
> > Thanks & Regards,
> > Azeem
> >
> > On Fri, 22 Mar 2019 at 08:50, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
> >
> > Azim Siddiqui via FreeIPA-users wrote:
> > > Hi Florence,
> > >
> > > I want to extract the private key and certificate to a PEM
> file.
> > > I am talking about the nssdb which is located
in /etc/pki path.
> > >
> > > Content of nssdb :-
> > > certutil -L -d /etc/pki/nssdb/
> > >
> > > Certificate Nickname
> Trust
> > > Attributes
> > >
> > > SSL,S/MIME,JAR/XPI
> > >
> > >
IPA.CLEAR-MARKETS.COM <
http://IPA.CLEAR-MARKETS.COM>
> <
http://IPA.CLEAR-MARKETS.COM>
> > <
http://IPA.CLEAR-MARKETS.COM> IPA CA
> > > CT,C,C
> > >
> > >
> > > Is this the correct directory to extract the private key and
> > > certificate? Will it work if I extract the private key from
> nssdb and
> > > renew the certificate?
> >
> > The threading for this is a bit off so I can't follow the
> reasoning for
> > this.
> >
> > There is no private key in that directory, only the CA public
> > certificate. If you need that in PEM it is likely already on
> the machine
> > in /etc/ipa/ca.crt.
> >
> > What is your ultimate goal here?
> >
> > rob
> >
> > >
> > > Thanks & Regards,
> > > Azeem
> > >
> > >
> > > On Thu, 21 Mar 2019 at 05:00, Florence Blanc-Renaud
> > <flo(a)redhat.com <mailto:flo@redhat.com>
<mailto:flo@redhat.com
> <mailto:flo@redhat.com>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>> wrote:
> > >
> > > On 3/19/19 7:07 PM, Azim Siddiqui wrote:
> > > > Hi,
> > > >
> > > > I was wondering is there any way, I can extract the
> private
> > key and
> > > > certificate from nssdb directory? Bcoz the one key i
> have is not
> > > > matching to the certifficate.
> > > >
> > > Hi
> > > I am insisting, but please keep freeipa-users in copy.
> > >
> > > What do you mean by "extract"? Do you want to remove
the
key
> > from the
> > > nssdb? or transform it into another format?
> > > To remove a private key from a nssdb, use the certutil
> command
> > with -F
> > > option. You can find the full format in the man page
> certutil(1).
> > >
> > > If you want to create a PKCS12 file containing the
> private key and
> > > certificate:
> > > pk12util -o keys.p12 -n $alias -d $NSSDB
> > >
> > > If you want a PEM file containing the private key:
> > > pk12util -o keys.p12 -n $alias -d $NSSDB
> > > openssl pkcs12 -in keys.p12 -out cert.key -nodes
> > >
> > > If you want a PEM file containing the cert:
> > > certutil -L -d $NSSDB -n $alias -a -o cert.pem
> > >
> > > But first of all, which NSSDB directory are you working
> with?
> > A NSSDB
> > > can contain multiple keys and certificates, and also
> certificates
> > > without matching private keys. Can you show the content
of
> > your NSSDB?
> > > certutil -L -d $NSSDB
> > > certutil -K -d $NSSDB
> > >
> > > flo
> > > > Thanks,
> > > > Azeem
> > > >
> > > > On Tue, 19 Mar 2019 at 13:01, Florence Blanc-Renaud
> > > <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>> wrote:
> > > >
> > > > On 3/19/19 4:18 PM, Azim Siddiqui wrote:
> > > > > Hi Florence,
> > > > >
> > > > > Thanks for the info. I will check for the
> > ipa cert-find command
> > > > and will
> > > > > send you the output. Actually, when I am
trying
to
> > do $ kinit
> > > > admin it
> > > > > is asking for a password. And I am not sure
> about the
> > > password, as I
> > > > > said it was set by the previous system admin.
> > > > >
> > > > Hi
> > > > (re-adding freeipa-users in cc)
> > > >
> > > > if you do kinit -kt /etc/krb5.keytab you should
also
> > have enough
> > > > permissions to perform ipa cert-find.
> > > >
> > > > > And also I can see there is nssdb directory on
the
> > server.
> > > Do you
> > > > by any
> > > > > chance know, what is that for?
> > > > There are many nssdb directories on a FreeIPA
system.
> > For instance
> > > > /etc/ipa/nssdb is the NSS database used by the ipa
*
> > commands. It
> > > > contains the certificates of the trusted
certificate
> > > authorities. You
> > > > can find more information re. NSS databases in the
man
> > page for
> > > > certutil(1).
> > > >
> > > > >
> > > > > If I have the private key on the server, how
can I
> > renew the
> > > > certificate
> > > > > signed by IPA. can you please provide me the
steps.
> > > > If you have the private key in $NSSDB database you
> just need
> > > to follow
> > > > the steps provided in my first email
> > > >
> > >
> >
> (
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
).
> > > >
> > > > flo
> > > > >
> > > > > thanks & Regards,
> > > > > Azeem
> > > > >
> > > > > On Tue, 19 Mar 2019 at 04:57, Florence
Blanc-Renaud
> > > > <flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > > <mailto:flo@redhat.com
<mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>>
wrote:
> > > > >
> > > > > On 3/18/19 7:50 PM, Azim Siddiqui wrote:
> > > > > > Hi Florence,
> > > > > >
> > > > > > Thanks for your reply.
> > > > > > I am referring to the applications.
For
> > example, we have
> > > > > > Apache,haproxy,jenkins,git which
uses
> certs signed
> > > by IPA. And
> > > > > now when
> > > > > > I am browsing these applications
urls.
It is
> > > showing, this
> > > > site
> > > > > is not
> > > > > > secured.
> > > > > > And originally, This cert were
created
> by a system
> > > admin,
> > > > who is not
> > > > > > working with us now. So its getting
hard
> for me to
> > > figure out,
> > > > > how can I
> > > > > > create or renew the certs.
> > > > > >
> > > > > > And I don't see any files
ssl.conf or
> nss.conf in
> > > the server.
> > > > > > The output for getcert list command
> shows this :-
> > > > > > getcert list
> > > > > > Number of certificates and requests
being
> > tracked: 0.
> > > > > >
> > > > > >
> > > > > > I just want to create a crt and key
file
> signed by
> > > IPA. So
> > > > that I
> > > > > can
> > > > > > use it for the browsers.
> > > > > Hi,
> > > > >
> > > > > please keep the users mailing list in cc,
> so that
> > everyone
> > > > can get
> > > > > involved/see the resolution.
> > > > >
> > > > > It is difficult to provide advice with so
few
> > information.
> > > > Can you
> > > > > start
> > > > > by checking which certificates were
already
> issued by
> > > > FreeIPA, and
> > > > > we'll
> > > > > see if they are expired?
> > > > >
> > > > > $ kinit admin
> > > > > $ ipa cert-find
> > > > >
> > > > > With the full output and based on the
subject
> > you'll be
> > > able to
> > > > > identify
> > > > > the host or service certs that you are
> using for your
> > > > applications. For
> > > > > each of these certs, run
> > > > > $ kinit admin
> > > > > $ ipa cert-show <serial number>
> > > > > and the output will show if the cert is
expired
> > (check the
> > > > Not After
> > > > > field).
> > > > >
> > > > > For an expired cert, you will be able to
renew
> > the cert if
> > > > you still
> > > > > have the private key. The private key
location
> > can be found
> > > > by checking
> > > > > the configuration of your applications.
> > > > > For instance apache on rhel or fedora
> stores its
> > config in
> > > > > /etc/httpd/conf/httpd.conf, which by
default
> > loads the
> > > modules in
> > > > > conf.modules.d/*.conf and the config files
in
> > > conf.d/*.conf.
> > > > >
> > > > > flo
> > > > > >
> > > > > > Thanks,
> > > > > > Azeem
> > > > > >
> > > > > >
> > > > > > On Mon, 18 Mar 2019 at 05:30,
Florence
> > Blanc-Renaud
> > > > > <flo(a)redhat.com
<mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com
<mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>
> > > > > > <mailto:flo@redhat.com
> <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:
flo(a)redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com
<mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>>>
wrote:
> > > > > >
> > > > > > On 3/15/19 8:16 PM, Azim
Siddiqui
wrote:
> > > > > > > Hi Florence,
> > > > > > >
> > > > > > > Hope you are doing good. I
tried
the
> > way you
> > > said. But
> > > > > still, it is
> > > > > > > showing certificate is
expired.
> > > > > > >
> > > > > > > Let me be more clear about
it.
> > > > > > >
> > > > > > > We have apache running with
an
> expired
> > > certificate
> > > > which is
> > > > > > signed by
> > > > > > > FreeIPA. Now I want to
renew or
> create
> > a new
> > > > certificate.
> > > > > So can you
> > > > > > > please tell me how can I
renew or
> > create a new
> > > > certificate
> > > > > signed by
> > > > > > > Freeipa.
> > > > > > > As whenever I am going to
the
Apache
> > URL from the
> > > > browser,
> > > > > it is
> > > > > > showing
> > > > > > > site is not secured.
> > > > > > >
> > > > > > > Thanks & Regards,
> > > > > > > Azeem
> > > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > (re-adding freeipa-users in CC).
> > > > > > Can you first confirm that you
are
> > referring to
> > > a cert for
> > > > > the apache
> > > > > > server *not running on one of
the
> FreeIPA
> > masters*?
> > > > > >
> > > > > > Then please explain how you
originally
> > obtained the
> > > > > certificate. Also
> > > > > > include the following
information:
> > > > > > - relevant apache configuration
(if
> using
> > > mod_ssl, then
> > > > > > /etc/httpd/conf.d/ssl.conf or if
using
> > mod_nss,
> > > > > > /etc/httpd/conf.d/nss.conf).
> > > > > > - output of getcert list on the
host
> > running apache
> > > > > >
> > > > > > flo
> > > > > >
> > > > > > > On Wed, 19 Dec 2018 at
14:04,
> Florence
> > > Blanc-Renaud
> > > > > > <flo(a)redhat.com
> <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:
flo(a)redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com
<mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>
> > > > > <mailto:flo@redhat.com
> <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:
flo(a)redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com
<mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>>
> > > > > > > <mailto:flo@redhat.com
> <mailto:flo@redhat.com>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com
<mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>>
> > > > > <mailto:flo@redhat.com
> <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:
flo(a)redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>>
> > > > <mailto:flo@redhat.com
<mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>>
> > > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>
> > <mailto:flo@redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com
<mailto:flo@redhat.com>>>>>>>> wrote:
> > > > > > >
> > > > > > > On 12/13/18 4:04 PM,
Azim
> Siddiqui via
> > > > FreeIPA-users
> > > > > wrote:
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > Hope you are
doing good. I
> have
> > a question
> > > > regarding
> > > > > > freeIPA host
> > > > > > > > certificates.
> > > > > > > > We are using
FreeIPA as
> our LDAP. We
> > > have some
> > > > > > certificates for
> > > > > > > hosts ex
> > > > > > > > :- http/uat.com
> <
http://uat.com> <
http://uat.com>
> > <
http://uat.com>
> > > <
http://uat.com>
> > > > <
http://uat.com> <
http://uat.com>
> > > > > <
http://uat.com>
> > > > > > <
http://uat.com>.
> > > > > > > > And we deploying
the certs
in
> > Haproxy
> > > in PEM
> > > > format.
> > > > > > > > But the
certificates for
this
> > host has
> > > been
> > > > expired.
> > > > > > > > Can you please
let me know
> in detail
> > > how to
> > > > renew
> > > > > my expired
> > > > > > > > certificates for
the hosts.
> > Please provide
> > > > me the
> > > > > commands
> > > > > > and steps.
> > > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > from your description
I
> understand that
> > > you are
> > > > > referring to
> > > > > > > certificates delivered
by IPA
CA
> > for one
> > > of the
> > > > > IPA-enrolled
> > > > > > hosts, but
> > > > > > > not the master's
Server-Cert
used
> > for IPA
> > > Web GUI.
> > > > > > >
> > > > > > > In this case, how did
you
> obtain the
> > > > certificate? If
> > > > > you used
> > > > > > a method
> > > > > > > similar to what is
described
in
> > this wiki
> > > [1], the
> > > > > certificate
> > > > > > > should be
> > > > > > > monitored by certmonger
and
> > automatically
> > > renewed.
> > > > > > >
> > > > > > > If you followed instead
this
wiki
> > [2], the
> > > > certificate
> > > > > is not
> > > > > > > tracked by
> > > > > > > certmonger and needs to
be
> manually
> > renewed.
> > > > You need
> > > > > to do the
> > > > > > > following, assuming
that the
cert
> > is in a NSS
> > > > database
> > > > > $NSSDB
> > > > > > on the
> > > > > > > IPA
> > > > > > > client:
> > > > > > > - find the key
nickname
> > > > > > > # certutil -K -d
$NSSDB
> > > > > > > certutil: Checking
token "NSS
> > Certificate DB"
> > > > in slot "NSS
> > > > > > User Private
> > > > > > > Key and Certificate
Services"
> > > > > > > Enter Password or Pin
for "NSS
> > > Certificate DB":
> > > > > > > < 0> rsa
> > > > > 7c0646606b33ab683ee4d1790719ebc4154db0f6
NSS
> > > > > > > Certificate
> > > > > > > DB:Server-Cert
> > > > > > > (note the key nickname
for
> the next
> > command)
> > > > > > >
> > > > > > > - create a new
certificate
> request
> > that will
> > > > re-use the
> > > > > > existing key
> > > > > > > (replace
DOMAIN.COM
> <
http://DOMAIN.COM>
> > <
http://DOMAIN.COM> <
http://DOMAIN.COM>
> > > <
http://DOMAIN.COM>
> > > > <
http://DOMAIN.COM>
> > > > > <
http://DOMAIN.COM>
<
http://DOMAIN.COM>
> > > > > > with your IPA domain, in
> > > > > > > uppercase):
> > > > > > > # certutil -R -d $NSSDB
-k
"NSS
> > Certificate
> > > > > DB:Server-Cert" -s
> > > > > > >
cn=`hostname,O=DOMAIN.COM
> <
http://DOMAIN.COM>
> > <
http://DOMAIN.COM>
> > > <
http://DOMAIN.COM> <
http://DOMAIN.COM>
> > > > <
http://DOMAIN.COM>
> > > > > <
http://DOMAIN.COM>
> > > > > > <
http://DOMAIN.COM>"
-a -o
/tmp/cert.csr
> > > > > > > Enter Password or Pin
for "NSS
> > > Certificate DB":
> > > > > > >
> > > > > > > - request a certificate
using
> the new
> > > > certificate request
> > > > > > > # kinit admin
> > > > > > > # ipa cert-request
> > > --principal=HTTP/`hostname`
> > > > > /tmp/web.csr
> > > > > > > (the output will
display a
Serial
> > Number that
> > > > needs to be
> > > > > > noted for the
> > > > > > > next command)
> > > > > > >
> > > > > > > - remove the previous
cert
> from the NSS
> > > database:
> > > > > > > # certutil -D -d $NSSDB
-n
> Server-Cert
> > > > > > >
> > > > > > > - export the
certificate to a
> file,
> > then
> > > import the
> > > > > > certificate in the
> > > > > > > NSS database:
> > > > > > > # ipa cert-show
$SERIAL_NUMBER
> > > > --out=/tmp/server.crt
> > > > > > > # certutil -A -d $NSSDB
-n
> > Server-Cert -t
> > > u,u,u -i
> > > > > > /tmp/server.crt
> > > > > > >
> > > > > > > HTH,
> > > > > > > flo
> > > > > > >
> > > > > > > [1]
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert...
> > > > > > > [2]
> > > > >
> >
https://www.freeipa.org/page/PKI#Manual_certificate_requests
> > > > > > >
> > > > > > > > FreeIPA, version:
4.2.0
> > > > > > > >
> > > > > > > > Thanks &
Regards,
> > > > > > > > Azeem
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > _______________________________________________
> > > > > > > > FreeIPA-users
mailing list
--
> > > > > > >
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > >
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>>
> > > > > >
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > >
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>>>
> > > > > > >
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > >
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>>
> > > > > >
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > >
> <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>>>>
> > > > > > > > To unsubscribe
send an
> email to
> > > > > > >
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > >
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>
> > > > > >
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > >
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>>
> > > > > > >
> > > >
> <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > >
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>
> > > > > >
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > >
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > >
<mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
>
<mailto:freeipa-users-leave@lists.fedorahosted.org>>>>>>>
> > > > > > > > Fedora Code of
Conduct:
> > > > > >
https://getfedora.org/code-of-conduct.html
> > > > > > > > List Guidelines:
> > > > > > >
> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > > > List Archives:
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > Fedora Code of Conduct:
>
https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > >
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>