Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
12.2. Requesting a Self-signed Certificate with certmonger
To request a certificate with
certmonger, use the getcert request utility.
Certificates and keys are stored locally in plain text files with the
.pem extension or in an NSS database, identified by the certificate nickname. When requesting a certificate, then, the request should identify the location where the certificate will be stored and the nickname of the certificate. For example:
selfsign-getcert request -d /etc/pki/nssdb -n Server-Cert
[root@server ~]# selfsign-getcert request -d /etc/pki/nssdb -n Server-Cert
The
/etc/pki/nssdb file is the global NSS database, and Server-Cert is the nickname of this certificate. The certificate nickname must be unique within this database.
The options you can provide with the command to generate a certificate vary depending on what kind of certificate you are requesting and the required configuration for the final certificate, as well as other settings:
-rautomatically renews the certificate when its expiration date is close if the key pair already exists. This option is used by default.-fstores the certificate in the given file.-keither stores the key in the given file or, if the key file already exists, uses the key in the file.-Kgives the Kerberos principal name of the service that will be using the certificate;-Kis required when requesting a certificate from an IdM server and optional when requesting a self-signed or locally-signed certificate-Ngives the subject name.-Drequests a DNS domain name to be included in the certificate as asubjectAltNamevalue.-Usets the extended key usage flag.-Arequests an IP address to be included in the certificate as asubjectAltNamevalue.-Isets a name for the task.certmongeruses this name to refer to the combination of storage locations and request options, and it is also displayed in the output of thegetcert listcommand. If you do not specify this option,certmongerassigns an automatically-generated name for the task.
A real CA, such as the one in IdM, can ignore anything that you specify in the signing request using the
-K, -N, -D, -U, and -A options according to the CA's own policies. For example, IdM requires that -K and -N agree with the local host name. Certificates generated using the selfsign-getcert and local-getcert commands, on the other hand, agree with the options that you specify because these commands do not enforce any policy.
Example 12.1. Using certmonger for a Service
selfsign-getcert request -f /etc/httpd/conf/ssl.crt/server.crt -k /etc/httpd/conf/ssl.key/server.key -N CN=`hostname --fqdn` -D `hostname` -U id-kp-serverAuth
[root@server ~]# selfsign-getcert request -f /etc/httpd/conf/ssl.crt/server.crt -k /etc/httpd/conf/ssl.key/server.key -N CN=`hostname --fqdn` -D `hostname` -U id-kp-serverAuth
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}