Use of ipa-getcert

Latest response

Currently using the --request-cert option when enrolling hosts with ipa-client-install

Then using the below:

mkdir /tmp/cert
cp /etc/ipa/nssdb/cert8.db /tmp/cert
cp /etc/ipa/nssdb/key3.db /tmp/cert
cp /etc/ipa/nssdb/pwdfile.txt /tmp/cert
(cd /tmp/cert/ && certutil -L -d . -a -n 'Local IPA host' >> /etc/pki/tls/certs/<%= @host.name %>.crt)
(cd /tmp/cert && pk12util -o keys.p12 -n 'Local IPA host' -d . -k pwdfile.txt -w pwdfile.txt)
(cd /tmp/cert/ && openssl pkcs12 -in keys.p12 -out /etc/pki/tls/private/<%= @host.name %>.key -nodes -password file:pwdfile.txt -nocerts)

Assume this can be done using ipa-getcert, but not sure how to construct it.

Any help would be much appreicted...

Responses

Tim, Can you please provide bit more details? ||Currently using the --request-cert option when enrolling hosts with ipa-client-installI I am not clear with the query.

~Hemant

Hi Tim,

The product documentation contains this section about using Certmonger to request a certificate for a service:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_and_managing_identity_management/index#obtain-service-cert-with-certmonger_certmonger-for-issuing-renewing-service-certs

You can adapt the command so that you request a certificate for a host instead.