5.2. Converting an external certificate in the IdM CLI and loading it into an IdM user account

Procedure

1. Convert the certificate to the PEM format:

   • If your certificate is in the DER format:

     $ openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

   • If your file is in the PKCS #12 format, whose common filename extensions are .pfx and .p12, and contains a certificate, a private key, and possibly other data, extract the certificate using the openssl pkcs12 utility. When prompted, enter the password protecting the private key stored in the file:

     $ openssl pkcs12 -in cert_and_key.p12 -clcerts -nokeys -out cert.pem
     Enter Import Password:

2. Obtain the administrator’s credentials:

   $ kinit admin

3. Add the certificate to the user account using the IdM CLI following one of the following methods:

   • Remove the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) of the PEM file using the sed utility before adding the string to the ipa user-add-cert command:

     $ ipa user-add-cert some_user --certificate="$(sed -e '/BEGIN CERTIFICATE/d;/END CERTIFICATE/d' cert.pem)"

   • Copy and paste the contents of the certificate file without the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the ipa user-add-cert command:

     $ ipa user-add-cert some_user --certificate=MIIDlzCCAn+gAwIBAgIBATANBgkqhki...

     注意

     You cannot pass a PEM file containing the certificate as input to the ipa user-add-cert command directly, without first removing the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----):

     $ ipa user-add-cert some_user --cert=some_user_cert.pem

     This command results in the "ipa: ERROR: Base64 decoding failed: Incorrect padding" error message.

4. To check if the certificate was accepted by the system:

   $ ipa user-show some_user