On 7/2/19 2:32 PM, Chris Dagdigian via FreeIPA-users wrote:
Got a strange one for the list ...
I've got a lovely multi-region replicating FreeIPA cluster spanning a
few AWS VPCs that is doing a fantastic job stitching together a complex
Active Directory topology
Now, however I have a need to support clients in a different, less
trusted VPC and the firewall people want to do a MiTM attack on the
TLS/HTTPS streams so they can intercept, decrypt and monitor HTTPS
traffic -- including apparently to and from the IPA nodes.
They want the SSL cert and key used by the HTTPS interface on the IPA
systems so they can set up the intercept properly.
My main question -- how do I properly extract the key and certificate
from FreeIPA?
From reading and poking around it looks like the certs I want are in
/etc/httpd/alias but must be access by the 'certutil' utility which
seems .. under documented ... both in the IPA docs as well as from what
I can tell online.
I'm sort of terrified of breaking my installation by screwing up
certificate work.
Can anyone provide tips, URLs or a cheatsheet for pulling SSL
certificates and keys out of FreeIPA? Particularly the cert and key that
is used on the HTTPS TCP:443 interface?
Hi,
the steps differ depending on the version you are using. From ipa 4.7+,
the http server cert is stored in /var/lib/ipa/certs/httpd.crt (PEM
format) and the key is in /var/lib/ipa/private/httpd.key.
For older versions, the cert/key are stored in the NSS database
/etc/httpd/alias with the nickname 'Server-Cert'. It is possible to
extract the server and key as a p12 file with
$ pk12util -o /path/to/file.p12 -n Server-Cert -d /etc/httpd/alias/ -k
/etc/httpd/alias/pwdfile.txt
(the tool will ask you to provide a password to protect the p12 file).
Note that the p12 file will also contain the CA cert.
If you need a different format, you can use the following command to
create a PEM file with the key only:
openssl pkcs12 -in /path/to/file.p12 -out /path/to/httpd.key -nodes -nocerts
(warning, you need to protect the httpd.key file with appropriate file
permissions).
And the following to extract the cert only:
$ openssl pkcs12 -in /path/to/file.p12 -clcerts -nokeys -out
/path/to/httpd.crt
Also note that each IPA master may have a different cert/key for httpd
(the subject is usually
CN=hostname.domain.com,O=DOMAIN.COM)
HTH,
flo
Thanks!
Chris
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...