Hi Team,
I like to understand more about the /root/cacert.p12 file in a self signed CA environment. Here are the questions:
1, could this file be located somewhere other than under /root? 2, what operations use this file instead of nssdb? In other words, if the /root/cacert.p12 file were not in place, what operations would fail? 3, any good readings to learn more?
Thank you in advance!
Kathy.
Kathy Zhu via FreeIPA-users wrote:
Hi Team,
I like to understand more about the /root/cacert.p12 file in a self signed CA environment. Here are the questions:
1, could this file be located somewhere other than under /root? 2, what operations use this file instead of nssdb? In other words, if the /root/cacert.p12 file were not in place, what operations would fail? 3, any good readings to learn more?
This is not operational. It is a backup of your CA keys in case something catastrophic happens, created at time of initial server installation. Depending IPA version you don't need it at all. Early versions would use this file to prepare replicas. We ended up instead calling PKCS12Export to generate a new one prior to replica creation.
I don't think it is really used with domain-level 1 at all, so any version released in the last 5 years or so.
It is an artifact that comes out of the CA installation. It's in /root to provide the best possible protection for the file. The default /var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12. We move it.
You might find information about it in the RHCS documentation.
rob
Hi Rob,
Thank you for the explanation. Makes sense.
Kathy.
On Tue, Feb 7, 2023 at 5:32 PM Rob Crittenden rcritten@redhat.com wrote:
Kathy Zhu via FreeIPA-users wrote:
Hi Team,
I like to understand more about the /root/cacert.p12 file in a self signed CA environment. Here are the questions:
1, could this file be located somewhere other than under /root? 2, what operations use this file instead of nssdb? In other words, if the /root/cacert.p12 file were not in place, what operations would fail? 3, any good readings to learn more?
This is not operational. It is a backup of your CA keys in case something catastrophic happens, created at time of initial server installation. Depending IPA version you don't need it at all. Early versions would use this file to prepare replicas. We ended up instead calling PKCS12Export to generate a new one prior to replica creation.
I don't think it is really used with domain-level 1 at all, so any version released in the last 5 years or so.
It is an artifact that comes out of the CA installation. It's in /root to provide the best possible protection for the file. The default /var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12. We move it.
You might find information about it in the RHCS documentation.
rob
freeipa-users@lists.fedorahosted.org