I'm running FreeIPA and would like to use it as an internal certificate authority.
I notice that the ipa cert-request command will sign a CSR (certificate signing request), which is great except that it creates a principal too, and I don't want that. I'd prefer to use an openssl x509 -req ... command.
I understand that the openssl x509 -req ... command signs the CSR with the CA's certificate and private key. I found the CA's certificate in FreeIPA (in /etc/ipa/ca.crt), but can't find the private key. Does anyone know where I might find this?
Certificate requests submitted for FreeIPA for signing pass through the internal set of checks that validate your rights to issue those certificates. One decision we made early enough is that Kerberos principal SAN in the certificate is one thing we can enforce and thus it is enforced.
Certificate Authority is much more than just self-signing with openssl. It includes revocation lists maintenance as well and without knowing what was issued and how, it is harder to maintain that.
Do you have any specific reason for issuing certs without Kerberos principals in them? Note that you can generate a certificate signing request any way you want, then submit it through 'ipa cert-request' or IPA Web UI directly, not using certmonger's tools. This CSR would still need to pass validation, though.