Creating certs and keys for services using FreeIPA (Dogtag)

The default installation of FreeIPA includes the Dogtag certificate management system, a Certificate Authority for your network. It manages expiration of certificates and can automatically renew them. Any client machines on your network will trust the services you provide (you may need to import the IPA CA cert).

There are a number of ways to make certificates. You can generate a certificate signing request or you can have Dogtag manage the whole process for you. You can also create individual cert and key files or put them into a nss database. My preferred method is to use individual files and have Dogtag do the work for me.

If you so desire, you can join your servers to the realm in just the same manner as a desktop client. However, even if they are not joined to the realm you can still create certs for them! You will need to run a few additional steps though, namely creating DNS records and adding the machine manually.

Let’s create a certificate for a web server on www.test.lan ( which is has not joined our realm.

SSH onto your IPA server and get a kerberos ticket.
[user@machine ~]# ssh root@ipa-server.test.lan
[root@ipa-server ~]# kinit admin

If the host is not already in the realm, create DNS entries and add the host.
[root@ipa-server ~]# ipa dnsrecord-add test.lan www --a-rec
[root@ipa-server ~]# ipa dnsrecord-add 100 --ptr-rec www.test.lan.
[root@ipa-server ~]# ipa host-add www.test.lan

Add a web service for the www machine.
[root@ipa-server ~]# ipa service-add HTTP/www.test.lan

Only the target machine can create a certificate (IPA uses the host kerberos ticket) by default, so to be able to create the certificate on your IPA server you need to allow it to manage the web service for the www host.
[root@ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan

Now create the cert and key.
[root@ipa-server ~]# ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k
/etc/pki/tls/private/www.test.lan.key -N CN=www.test.lan -D
www.test.lan -K HTTP/www.test.lan

Now copy that key and certificate to your web server host and configure apache as required.
[root@ipa-server ~]# rsync -P /etc/pki/tls/certs/www.test.lan.crt /etc/pki/tls/private/www.test.lan.key root@www.test.lan:

You can also easily delete keys so that they aren’t tracked and renewed any more, first get the request id.
[root@ipa-server ~]# ipa-getcert list

Take note of the id for the certificate you want to delete.
[root@ipa-server ~]# getcert stop-tracking -i [request id]

A CRL (certificate revocation list) is automatically maintained and published on the IPA server at ​https://ipa-server.test.lan/ipa/crl/MasterCRL.bin

5 Responses to “Creating certs and keys for services using FreeIPA (Dogtag)”

  • Thanks a lot !!

    You can add -w -v to ipa-getcert, useful on problem.

  • What if I want to create a certificate for a virtual host[name] which isn’t actually a host and so won’t have a host record associated?


    Looks like it might now be possible with FreeIPA 4.0, but I haven’t tried it. If you get it working, please let me know!

  • Nice article, but 2 important steps are missing: automatic renewal and revocation.

    In the first paragraph you write “It [dogtag] manages expiration of certificates and can automatically renew them.” Instead you manually copy key(!!!) and certificate from the ipa server to a non-ipa client, not describing the “automatic dogtag part” at all.

    Sorry to say, but this is not as advertised.

  • The renewal should be automatic, you just need to re-fetch them and put them in place.


Leave a Reply