lejeczek via FreeIPA-users wrote:
On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote:
> lejeczek via FreeIPA-users wrote:
>> hello fallas
>>
>> those certs I see with:
>> $ ipa cert-find
>> is it possible to get private key(s) for a given cert? With means of
>> (any)command line?
> Not from the CA, no.
>
> The CA doesn't store the private keys for the certificates it issues and
> never sees them at all.
>
> You need access to the filesystem containing the private keys to be able
> to retrieve/extract them.
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
so these are replicas/host certs created during replica/host add that
I'm looking at - where IPA stores those private keys?
Would there be any howto on how to get cert+keys pair in standard pem
out of IPA to use outside of IPA?
Depends on what you mean by outside of IPA.
It is a rather terrible idea to share keys between services
security-wise, especially given how easy it is to get a cert from IPA.
That said, it isn't a secret where they are stored. The web cert/key is
in /etc/httpd/alias and the ldap cert/key is in /etc/dirsrv/slapd-REALM
You can use pk12util to export the cert and key as a PKCS#12 file and
then openssl pkcs12 to extract the key from that.
rob