From 474c5029d001d5141eacef6dc9e45b1c04d8697b Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Jan 13 2023 16:28:20 +0000 Subject: Added note about renewal with ipa/dogtag on enrolled node Signed-off-by: Fabian Arrotin --- diff --git a/docs/security/tls.md b/docs/security/tls.md index 4a2926f..c4a70f7 100644 --- a/docs/security/tls.md +++ b/docs/security/tls.md @@ -26,6 +26,9 @@ Pre-requisites: * an IPA account that has enough privileges to add hosts/services and local sudo rights on the intermediate enrolled node * `ipa-client` role applied with correct script deployed +!!! note + The following steps are just for *new* certificates. As once you'll have requested this on the enrolled node, dogtag will automatically watch and request/renew new ones, so they'll land on the enrolled node automatically, from which you can then retrieve TLS files and update pkistore (see above) + Once we have shell access on such enrolled node, we can proceed like this : ``` @@ -104,6 +107,7 @@ Keytab successfully retrieved and stored in: /etc/pki/centos/certs/HTTP-mbs.mbox You can now import into `pkistore` (and correct directory based on role) git-crypted repository the needed .crt and .key files from /etc/pki/centos/certs/ directory + #### TLS service account While the mentioned above script is probably the one that we'll use the most for nodes, we can also have to create service account, just to retrieve TLS cert used to auth against other services. As we'll just do that on *very* limited use cases, we can just "manually" execute the following snippet, still with first a valid kerberos ticket to be able to add users in IPA (so also on an enrolled machine and ideally the same one we use for the node certificates) :