Certmonger
certmonger 服务可以监控证书是否过期,并且借助 CA 刷新证书. 既支持OpenSSL 用的证书文件,也支持存在 NSS 证书库的证书.
certmonger 的命令行工具 getcert可以用来管理证书.
ipa-getcert 只能用在 IPA 的 CA.
ipa-getcert 等价于 getcert -c IPA
1 命令使用
ipa-getcert
ipa-getcert - client certificate enrollment tool
Usage: ipa-getcert command [options]
request request a new certificate from a CA
start-tracking begin monitoring an already-issued certificate
stop-tracking stop monitoring a certificate
resubmit resubmit an in-progress enrollment request, or start a new one
rekey generate a new private key and replace a certificate
refresh check on the status of an in-progress enrollment request
list list certificates being monitored and requested
status check the status of a certificate being monitored or requested
list-cas list known CA configurations
refresh-ca refresh cache of all information obtained from a CA
显示当前的证书
这是一个典型的 OpenSSL 证书.
ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20200310070220':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/httpd.key'
certificate: type=FILE,location='/tmp/httpd.pem'
CA: IPA
issuer: CN=Certificate Authority,O=ted.COM
subject: CN=cdh109.ted.com,O=ted.COM
expires: 2022-03-11 07:02:20 UTC
dns: cdh109.ted.com
principal name: HTTPS/cdh109.ted.com@ted.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20200817035728':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/httpd.key'
certificate: type=FILE,location='/etc/pki/tls/certs/httpd.pem'
CA: IPA
issuer: CN=Certificate Authority,O=ted.COM
subject: CN=cdh109.ted.com,O=ted.COM
expires: 2022-08-18 03:57:29 UTC
dns: cdh109.ted.com
principal name: HTTPS/cdh109.ted.com@ted.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
也可以看到失败的请求.
Request ID '20200817041224':
status: CA_REJECTED
ca-error: Server at https://cdh230.ted.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=http/cdh110.ted.com@ted.COM,cn=services,cn=accounts,dc=ted,dc=com'.).
stuck: yes
key pair storage: type=FILE,location='/etc/pki/tls/private/httpd110.key'
certificate: type=FILE,location='/etc/pki/tls/certs/httpd110.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
停止追踪证书
ipa-getcert stop-tracking -i 20200310064028
Request "20200310064028" removed.
ipa-getcert stop-tracking -i 20200310070830
对于请求过的域名,必须停止追踪后,才能再请求证书.
手工更新证书
` ipa-getcert resubmit -i REQUEST_ID`
命令行生成新证书
因为要使用/etc/krb5.keytab认证,需要在需要证书的节点执行命令.
ipa-getcert resubmit -i REQUEST_ID命令执行完会生成:
- 一对密钥
- CSR
- 证书
root@cdh110:~# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 02/24/2020 12:33:47 host/cdh110.ted.com@ted.COM
1 02/24/2020 12:33:47 host/cdh110.ted.com@ted.COM
1 02/24/2020 12:33:47 host/cdh110.ted.com@ted.COM
1 02/24/2020 12:33:47 host/cdh110.ted.com@ted.COM
1 02/24/2020 12:33:47 host/cdh110.ted.com@ted.COM
1 02/24/2020 12:33:47 host/cdh110.ted.com@ted.COM
root@cdh110:~# ipa-getcert request -f /tmp/server2020.crt -k /tmp/private2020.key -r
New signing request "20200817041934" added.
2 FreeIPA 界面
- 在浏览器
service下,或者Authentication-->Certificates-->iussue生成证书,看提示似乎只支持NSS
-
所以在命令行请求成功证书之后,复制证书,
-
在服务下粘贴,
service-->Service Certificate-->add就可以添加这个已经存在的证书
- 然后可以
Action下拉中选择选择查看,下载,收回等等.
