Request OpenSSL key and certificate
ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/private.key -r
Get NSS DB file location
kinit admin
ipa-getcert list | grep storage
List certificates in NSSDB
certutil -L -d /etc/httpd/alias/
Get certificate from NSSDB
certutil -L -d /etc/httpd/alias/ -a -n 'Server-Cert'
Get certificate and key from NSSDB
# Get the DB password
cat /etc/httpd/alias/pwdfile.txt; echo
# Export cert + key
pk12util -o key.p12 -n 'Server-Cert' -d /etc/httpd/alias/
<password from pwdfile>
<password for p12 file, can be blank>
<repeat>
# Read p12 format with openssl tool and output in pem format (key + cert chain)
openssl pkcs12 -in key.p12 -out freeipa.key -nodes
<previous specified password>
Make Chromium/Chrome work with Kerberos
vim /etc/chromium/policies/managed/kerberos.json # for Chromium
vim /etc/opt/chrome/policies/managed/kerberos.json # for Chrome
{
"AuthServerWhitelist": "*.example.com",
"AuthNegotiateDelegateWhitelist": "*.example.com"
}
CA cert location
/etc/ipa/ca.crt
http://ipa.example.com/ipa/config/ca.crt