Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> certmonger doesn't support storing certificates in a java keystore. > > certmonger has the concept of pre and post renewal scripts so you can, > for example stop or start a service, or import a renewed certificate > somewhere else (IPA uses this to store a copy of some certificates in LDAP). > > So theoretically certmonger could for example, track PEM files in the > filesystem and upon renewal run a post script to import the updated cert > into the java keystore. This is my current script to get a cert from IPA, which is tracked by certmonger. I've yet to test refreshing a certificate, but the steps manually did work (I excpect some SELINUX woes...): # Get a certificate and key from IPA #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \ # -k /etc/pki/tls/private/saml.example.org.key \ # -N CN=saml.example.org \ # -D saml.example.org \ # -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1 ## -C "<here-we-call-the-commands-below>" cd /opt/jboss/keycloak/standalone/configuration # We need to have the password we use on the keystore also as the key password. # IPA keys do not have a password - let's add one to a temp file. openssl rsa -des3 -in /etc/pki/tls/private/saml.example.org.key -out saml.example.org.key \ -passout file:/opt/jboss/keycloak/standalone/configuration/keystore.password # Combine the key, the cert, and the CA cert into a pkcs12 file, which we'll # import with keytool later. We need two password files with the same content, # otherwise we'll get "Error reading password from BIO". openssl pkcs12 -export \ -passin file:/opt/jboss/keycloak/standalone/configuration/keystore.password \ -passout file:/opt/jboss/keycloak/standalone/configuration/keystore.password2 \ -in /etc/pki/tls/certs/saml.example.org.crt -inkey saml.example.org.key \ -CAfile /etc/ipa/ca.crt -out temp.p12 -chain #-in /etc/pki/tls/certs/saml.example.org.crt -inkey /etc/pki/tls/private/saml.example.org.key \ # Now we can import our "pkcs12 keystore" into the keytool keystore we'll use # for wildfly/keycloak keytool -importkeystore -trustcacerts \ -srckeystore temp.p12 -srcstoretype PKCS12 \ -srcstorepass:file /opt/jboss/keycloak/standalone/configuration/keystore.password \ -destkeypass:file /opt/jboss/keycloak/standalone/configuration/keystore.password \ -deststorepass:file /opt/jboss/keycloak/standalone/configuration/keystore.password \ -destkeystore /opt/jboss/keycloak/standalone/configuration/keycloak.jks # We might now restart keycloak to activate the new certificate #systemctl restart keycloak.service Puh, there were some hurdles, some google-fu needed, and lots of trial-and-error. I'm not sure how we can help other users of keytool, but I'm confident to get automatic refresh implemented, Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org