{"id":10255,"date":"2025-03-19T17:55:43","date_gmt":"2025-03-19T16:55:43","guid":{"rendered":"https:\/\/www.credativ.de\/blog\/credativ-inside\/using-freeipa-and-certmonger-with-ec-keys\/"},"modified":"2025-03-19T17:55:43","modified_gmt":"2025-03-19T16:55:43","slug":"using-freeipa-and-certmonger-with-ec-keys","status":"publish","type":"post","link":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/","title":{"rendered":"Using FreeIPA and Certmonger with EC Keys"},"content":{"rendered":"

Overview<\/h1>\n

Infrastructures that offer services via TLS often require an automated mechanism for the regular exchange of certificates. This can be achieved, among other things, by using Certmonger<\/a> and FreeIPA<\/a>. <\/p>\n

By default, a FreeIPA server is configured to create certificates using a profile with RSA keys. However, if cryptographic requirements exist that, for example, necessitate EC keys, a change to the FreeIPA profile must be made to enable them. Once this is done, these types of keys can also be used via Certmonger \u2013 by specifying the adapted profile. <\/p>\n

The following article addresses precisely the aforementioned FreeIPA adjustment to demonstrate how certificates with EC keys can also be utilized via Certmonger.<\/p>\n

Setup<\/h2>\n

For the following examples, a FreeIPA server and a corresponding client, which has also been registered as a client with FreeIPA, are required. In this example, both systems are set up with CentOS 9 Stream. <\/p>\n

Certmonger<\/h2>\n

Certmonger typically runs as a daemon in the background and monitors certificates for their expiration. The service can renew certificates if a CA is available for it, or it can also handle the complete deployment of certificates, including key generation, if desired. <\/p>\n

The typical sequence for Certmonger is as follows:<\/p>\n

    \n
  1. Creating a key pair<\/li>\n
  2. Creating a CSR (Certificate Signing Request) with the public key<\/li>\n
  3. Submitting the CSR to a corresponding CA<\/li>\n
  4. Verifying the CA’s response<\/li>\n
  5. Monitoring the certificate for expiration<\/li>\n<\/ol>\n

    The design documentation<\/a> provides further details on this.<\/p>\n

    EC<\/h2>\n

    EC is also known as ECDSA<\/code> (Elliptic Curve Digital Signature Algorithm<\/a>). Elliptic Curve Cryptography (ECC) is used to create such keys, which allows for the use of smaller key lengths. Like RSA, ECDSA also works asymmetrically, meaning a public and a private key are also used here. <\/p>\n

    Requirements<\/h1>\n

    The prerequisites for the specified setup are as follows:<\/p>\n

      \n
    1. FreeIPA (version used: 4.12.2)<\/li>\n
    2. At least one client that is to manage certificates using Certmonger (version: 0.79.17)<\/li>\n<\/ol>\n

      The FreeIPA server is already configured and offers its services accordingly. The clients, on the other hand, can reach the FreeIPA server, where Certmonger (ipa-client) is already installed. <\/p>\n

      Creating a Profile for Using EC Keys on FreeIPA<\/h1>\n

      With the default configuration, the FreeIPA server already offers several profiles for certificate creation:<\/p>\n


      \n[root@ipa ~]# ipa certprofile-find
      \n------------------
      \n4 profiles matched
      \n------------------
      \nProfile ID: acmeIPAServerCert
      \nProfile description: ACME IPA service certificate profile
      \nStore issued certificates: False<\/code>
      \n
      \nProfile ID: caIPAserviceCert
      \nProfile description: Standard profile for network services
      \nStore issued certificates: True<\/code>
      \n
      \nProfile ID: IECUserRoles
      \nProfile description: User profile that includes IECUserRoles extension from request
      \nStore issued certificates: True<\/code>
      \n
      \nProfile ID: KDCs_PKINIT_Certs
      \nProfile description: Profile for PKINIT support by KDCs
      \nStore issued certificates: False
      \n----------------------------
      \nNumber of entries returned 4
      \n----------------------------
      \n<\/code><\/p>\n

      It is therefore easiest, for example, to export the existing profile caIPAServicecert<\/code> and make the necessary changes there. For this, the corresponding profile is exported and saved, for example, in a file named caIPAserviceCert_ECDSA.cfg<\/code>: <\/p>\n


      \n[root@ipa ~]# ipa certprofile-show caIPAserviceCert --out caIPAserviceCert_ECDSA.cfg
      \n-----------------------------------------------------------------
      \nProfile configuration stored in file 'caIPAserviceCert_ECDSA.cfg'
      \n-----------------------------------------------------------------
      \nProfile ID: caIPAserviceCert
      \nProfile description: Standard profile for network services
      \nStore issued certificates: True
      \n<\/code><\/p>\n

      In the exported profile, the necessary changes are now made using a simple text editor to support other key types as well:<\/p>\n


      \npolicyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521,sect163k1,nistk163
      \npolicyset.serverCertSet.3.constraint.params.keyType=EC
      \nprofileId=caIPAserviceCert_ECDSA
      \n<\/code><\/p>\n

      The possible values for the parameter keyParameters<\/code> can be determined with the following command:<\/p>\n


      \n[root@ipa ~]# certutil -G -H
      \n[...]
      \n-k key-type Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))
      \n-g key-size Key size in bits, (min 512, max 8192, default 2048) (not for ec)
      \n-q curve-name Elliptic curve name (ec only)
      \nOne of nistp256, nistp384, nistp521, curve25519.
      \nIf a custom token is present, the following curves are also supported:
      \nsect163k1, nistk163, sect163r1, sect163r2,
      \nnistb163, sect193r1, sect193r2, sect233k1, nistk233,
      \nsect233r1, nistb233, sect239k1, sect283k1, nistk283,
      \nsect283r1, nistb283, sect409k1, nistk409, sect409r1,
      \nnistb409, sect571k1, nistk571, sect571r1, nistb571,
      \nsecp160k1, secp160r1, secp160r2, secp192k1, secp192r1,
      \nnistp192, secp224k1, secp224r1, nistp224, secp256k1,
      \nsecp256r1, secp384r1, secp521r1,
      \nprime192v1, prime192v2, prime192v3,
      \nprime239v1, prime239v2, prime239v3, c2pnb163v1,
      \nc2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1,
      \nc2tnb191v2, c2tnb191v3,
      \nc2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3,
      \nc2pnb272w1, c2pnb304w1,
      \nc2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1,
      \nsecp112r2, secp128r1, secp128r2, sect113r1, sect113r2
      \nsect131r1, sect131r2
      \n<\/code><\/p>\n

      For demonstration purposes, the command output is greatly reduced. Only the possible key types and the key size (configurable later in the Certmonger request) are included in the output shown here. By using the passing parameter curve-name<\/code>, the corresponding command returns the values for the keyParameters<\/code>. <\/p>\n

      Of course, when using other key types, client applications must also be considered, as not every browser, for example, supports every available parameter (curve-name<\/code>). Indications of which key types a browser supports can be determined, for example, via Qualys SSL Labs<\/a> (in the area of named group<\/code>). <\/p>\n

      Additionally, further settings can be made within the profile itself, such as the validity period of the issued certificates.<\/p>\n

      After these adjustments, the profile (with the new name caIPAserviceCert_ECDSA<\/code>) can be imported into FreeIPA to use it afterwards. The following command is used for importing: <\/p>\n


      \n[root@ipa ~]# ipa certprofile-import caIPAserviceCert_ECDSA --file caIPAserviceCert_ECDSA.cfg
      \nProfile description: Profile for network service with ECDSA
      \nStore issued certificates [True]:
      \n-----------------------------------------
      \nImported profile \"caIPAserviceCert_ECDSA\"
      \n-----------------------------------------
      \nProfile ID: caIPAserviceCert_ECDSA
      \nProfile description: Profile for network service with ECDSA
      \nStore issued certificates: True
      \n<\/code><\/p>\n

      Thus, another profile is now available in FreeIPA, which can be passed along with certificate requests via Certmonger to obtain corresponding certificates and keys.<\/p>\n

      Requesting a Certificate via Certmonger<\/h1>\n

      EC<\/h2>\n

      For Certmonger to manage a certificate, a corresponding “Request” must be created. The CA and the appropriate profile to be used for creation are provided with this. Additionally, the storage locations for the private key and the certificate are also specified: <\/p>\n


      \n[root@ipa-client-01 ~]# getcert request --ca=IPA --profile=caIPAserviceCert_ECDSA --certfile=\/etc\/pki\/tls\/certs\/$HOSTNAME.crt --keyfile=\/etc\/pki\/tls\/private\/$HOSTNAME.key --key-type=ec --subject-name=\"$HOSTNAME\" --principal=\"HTTP\/$HOSTNAME\" -g 256
      \n<\/code><\/p>\n

      We can observe the successful request in the output as follows:<\/p>\n


      \nNumber of certificates and requests being tracked: 1.
      \nRequest ID '20250206122718':
      \nstatus: MONITORING
      \nstuck: no
      \nkey pair storage: type=FILE,location='\/etc\/pki\/tls\/private\/ipa-client-01.vrc.lan.key'
      \ncertificate: type=FILE,location='\/etc\/pki\/tls\/certs\/ipa-client-01.vrc.lan.crt'
      \nCA: IPA
      \nissuer: CN=Certificate Authority,O=VRC.LAN
      \nsubject: CN=ipa-client-01.vrc.lan,O=VRC.LAN
      \nissued: 2025-02-06 13:27:18 CET
      \nexpires: 2027-02-07 13:27:18 CET
      \ndns: ipa-client-01.vrc.lan
      \nprincipal name: HTTP\/ipa-client-01.vrc.lan@VRC.LAN
      \nkey usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
      \neku: id-kp-serverAuth,id-kp-clientAuth
      \nprofile: caIPAserviceCert_ECDSA
      \npre-save command:
      \npost-save command:
      \ntrack: yes
      \nauto-renew: yes
      \n<\/code><\/p>\n

      Subsequently, we can now also inspect the created certificate more closely with openssl<\/code>:<\/p>\n


      \n[root@ipa-client-01 ~]# openssl x509 -in '\/etc\/pki\/tls\/certs\/ipa-client-01.vrc.lan.crt' -noout -text
      \nCertificate:
      \nData:
      \nVersion: 3 (0x2)
      \nSerial Number: 11 (0xb)
      \nSignature Algorithm: sha256WithRSAEncryption
      \nIssuer: O=VRC.LAN, CN=Certificate Authority
      \nValidity
      \nNot Before: Feb 6 12:27:18 2025 GMT
      \nNot After : Feb 7 12:27:18 2027 GMT
      \nSubject: O=VRC.LAN, CN=ipa-client-01.vrc.lan
      \nSubject Public Key Info:
      \nPublic Key Algorithm: id-ecPublicKey
      \nPublic-Key: (256 bit)
      \npub:
      \n04:91:15:7d:ac:83:9e:91:cc:9b:ea:f9:0a:5b:53:
      \n03:37:a5:c7:33:69:73:88:38:e4:c1:38:57:8b:b4:
      \nd8:c5:5e:18:8d:83:af:80:fc:9d:64:ab:32:69:dd:
      \n05:50:27:57:be:32:3b:e1:25:10:f3:57:74:e5:42:
      \na7:16:8e:41:1a
      \nASN1 OID: prime256v1
      \nNIST CURVE: P-256
      \nX509v3 extensions:
      \nX509v3 Authority Key Identifier:
      \n03:4B:F3:FE:CB:F9:EC:26:14:F8:61:56:BB:81:6A:CE:A1:DB:4C:0B
      \nAuthority Information Access:
      \nOCSP - URI:http:\/\/ipa-ca.vrc.lan\/ca\/ocsp
      \nX509v3 Key Usage: critical
      \nDigital Signature, Non Repudiation, Key Encipherment, Data Encipherment
      \nX509v3 Extended Key Usage:
      \nTLS Web Server Authentication, TLS Web Client Authentication
      \nX509v3 CRL Distribution Points:
      \nFull Name:
      \nURI:http:\/\/ipa-ca.vrc.lan\/ipa\/crl\/MasterCRL.bin CRL Issuer:
      \nDirName:O = ipaca, CN = Certificate Authority
      \nX509v3 Subject Key Identifier:
      \n00:B5:C7:96:FA:D1:18:D8:6A:11:B4:E0:83:ED:CE:A8:8F:A1:19:7B
      \nX509v3 Subject Alternative Name:
      \nothername: UPN::HTTP\/ipa-client-01.vrc.lan@VRC.LAN, othername: 1.3.6.1.5.2.2::, DNS:ipa-client-01.vrc.lan
      \nSignature Algorithm: sha256WithRSAEncryption
      \n[...]
      \n<\/code><\/p>\n

      It is relevant that we have indeed received a certificate from the EC profile.<\/p>\n

      RSA<\/h2>\n

      In parallel to EC keys, we can, of course, also request and monitor other types of certificates with Certmonger. By specifying a different profile, an RSA-based certificate can thus also be requested additionally: <\/p>\n


      \n[root@ipa-client-01 ~]# getcert request --ca=IPA --profile=caIPAserviceCert --certfile=\/etc\/pki\/tls\/certs\/${HOSTNAME}_rsa.crt --keyfile=\/etc\/pki\/tls\/private\/${HOSTNAME}_rsa.key --subject-name=\"$HOSTNAME\" --principal=\"HTTP\/$HOSTNAME\"
      \n<\/code><\/p>\n

      The details in the certificate itself can be viewed more closely via the parameter list<\/code>:<\/p>\n


      \n[root@ipa-client-01 ~]# getcert list
      \nNumber of certificates and requests being tracked: 2.
      \nRequest ID '20250206122718':
      \nstatus: MONITORING
      \nstuck: no
      \nkey pair storage: type=FILE,location='\/etc\/pki\/tls\/private\/ipa-client-01.vrc.lan.key'
      \ncertificate: type=FILE,location='\/etc\/pki\/tls\/certs\/ipa-client-01.vrc.lan.crt'
      \nCA: IPA
      \nissuer: CN=Certificate Authority,O=VRC.LAN
      \nsubject: CN=ipa-client-01.vrc.lan,O=VRC.LAN
      \nissued: 2025-02-06 13:27:18 CET
      \nexpires: 2027-02-07 13:27:18 CET
      \ndns: ipa-client-01.vrc.lan
      \nprincipal name: HTTP\/ipa-client-01.vrc.lan@VRC.LAN
      \nkey usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
      \neku: id-kp-serverAuth,id-kp-clientAuth
      \nprofile: caIPAserviceCert_ECDSA
      \npre-save command:
      \npost-save command:
      \ntrack: yes
      \nauto-renew: yes
      \nRequest ID '20250206123339':
      \nstatus: MONITORING
      \nstuck: no
      \nkey pair storage: type=FILE,location='\/etc\/pki\/tls\/private\/ipa-client-01.vrc.lan_rsa.key'
      \ncertificate: type=FILE,location='\/etc\/pki\/tls\/certs\/ipa-client-01.vrc.lan_rsa.crt'
      \nCA: IPA
      \nissuer: CN=Certificate Authority,O=VRC.LAN
      \nsubject: CN=ipa-client-01.vrc.lan,O=VRC.LAN
      \nissued: 2025-02-06 13:33:40 CET
      \nexpires: 2027-02-07 13:33:40 CET
      \ndns: ipa-client-01.vrc.lan
      \nprincipal name: HTTP\/ipa-client-01.vrc.lan@VRC.LAN
      \nkey usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
      \neku: id-kp-serverAuth,id-kp-clientAuth
      \nprofile: caIPAserviceCert
      \npre-save command:
      \npost-save command:
      \ntrack: yes
      \nauto-renew: yes
      \n<\/code><\/p>\n

      Here, certificates can also be re-requested or management can be terminated by specifying the request ID. The parameters resubmit<\/code> and stop-tracking<\/code> are available for this. <\/p>\n

      Adjusting the Signature Algorithm<\/h2>\n

      The signature algorithms can also be adjusted via the profile. For this, the entry <\/p>\n


      \npolicyset.serverCertSet.8.default.params.signingAlg=SHA512withRSA
      \n<\/code><\/p>\n

      is adjusted. By default, only a “-” is found there. The algorithm can be selected from the list of options in the parameter <\/p>\n


      \npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
      \n<\/code><\/p>\n

      can be selected.<\/p>\n

      Subsequently, the changed profile must, of course, be updated in IPA itself. This is done with: <\/p>\n


      \n[root@ipa ~]# ipa certprofile-mod caIPAserviceCert_ECDSA --file caIPAserviceCert_ECDSA.cfg
      \nProfile ID: caIPAserviceCert_ECDSA
      \nProfile description: Profile for network service with ECDSA
      \nStore issued certificates: True
      \n<\/code><\/p>\n

      A check with openssl<\/code> then shows the new algorithm:<\/p>\n


      \n[root@ipa-client-01 ~]# openssl x509 -in '\/etc\/pki\/tls\/certs\/ipa-client-01.vrc.lan.crt' -noout -text | grep Sig
      \nSignature Algorithm: sha512WithRSAEncryption
      \nDigital Signature, Non Repudiation, Key Encipherment, Data Encipherment
      \n[...]
      \n<\/code><\/p>\n

      Conclusion<\/h1>\n

      Certmonger in combination with FreeIPA can seamlessly manage certificates with EC keys. Only the configuration of the IPA and the corresponding Certmonger requests need to be adjusted, as shown in the preceding chapters. This allows FreeIPA to be operated excellently in infrastructures that require EC keys. As part of proper operation, it is also recommended to continuously monitor the results of certificate requests in central monitoring. <\/p>\n","protected":false},"excerpt":{"rendered":"

      Overview Infrastructures that offer services via TLS often require an automated mechanism for the regular exchange of certificates. This can be achieved, among other things, by using Certmonger and FreeIPA. By default, a FreeIPA server is configured to create certificates using a profile with RSA keys. However, if cryptographic requirements exist that, for example, necessitate […]<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_improvement_type_select":"improve_an_existing","_thumb_yes_seoaic":false,"_frame_yes_seoaic":false,"seoaic_generate_description":"","seoaic_improve_instructions_prompt":"","seoaic_rollback_content_improvement":"","seoaic_idea_thumbnail_generator":"","thumbnail_generated":false,"thumbnail_generate_prompt":"","seoaic_article_description":"","seoaic_article_subtitles":[],"footnotes":""},"categories":[1885],"tags":[2154,2153],"class_list":["post-10255","post","type-post","status-publish","format-standard","hentry","category-howtos-en","tag-certmonger","tag-freeipa"],"acf":[],"yoast_head":"\nUsing FreeIPA and Certmonger with EC Keys - credativ\u00ae<\/title>\n<meta name=\"description\" content=\"Update your FreeIPA profile and use Certmonger to exchange certificates with EC keys.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using FreeIPA and Certmonger with EC Keys\" \/>\n<meta property=\"og:description\" content=\"Update your FreeIPA profile and use Certmonger to exchange certificates with EC keys.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/\" \/>\n<meta property=\"og:site_name\" content=\"credativ\u00ae\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/credativDE\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-19T16:55:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.credativ.de\/wp-content\/uploads\/2019\/07\/Portfolio-Loesungen.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"550\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Andr\u00e9 N\u00e4hring\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@credativde\" \/>\n<meta name=\"twitter:site\" content=\"@credativde\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Andr\u00e9 N\u00e4hring\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/\"},\"author\":{\"name\":\"Andr\u00e9 N\u00e4hring\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#\\\/schema\\\/person\\\/c8c9744720b793cf644cf92a6cc2e7af\"},\"headline\":\"Using FreeIPA and Certmonger with EC Keys\",\"datePublished\":\"2025-03-19T16:55:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/\"},\"wordCount\":878,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\"},\"keywords\":[\"certmonger\",\"freeipa\"],\"articleSection\":[\"HowTos\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#respond\"]}],\"copyrightYear\":\"2025\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/\",\"name\":\"Using FreeIPA and Certmonger with EC Keys - credativ\u00ae\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#website\"},\"datePublished\":\"2025-03-19T16:55:43+00:00\",\"description\":\"Update your FreeIPA profile and use Certmonger to exchange certificates with EC keys.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using FreeIPA and Certmonger with EC Keys\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\",\"name\":\"credativ GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\",\"name\":\"credativ\u00ae\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/credativDE\\\/\",\"https:\\\/\\\/x.com\\\/credativde\",\"https:\\\/\\\/mastodon.social\\\/@credativde\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/credativ-gmbh\",\"https:\\\/\\\/www.instagram.com\\\/credativ\\\/\"],\"description\":\"Die credativ GmbH ist ein f\u00fchrendes, auf Open Source Software spezialisiertes IT-Dienstleistungs- und Beratungsunternehmen. Wir bieten umfassende und professionelle Services, von Beratung und Infrastruktur-Betrieb \u00fcber 24\\\/7 Support bis hin zu individuellen L\u00f6sungen und Schulungen. Unser Fokus liegt auf dem ganzheitlichen Management von gesch\u00e4ftskritischen Open-Source-Systemen, darunter Betriebssysteme (z.B. Linux), Datenbanken (z.B. PostgreSQL), Konfigurationsmanagement (z.B. Ansible, Puppet) und Virtualisierung. Als engagierter Teil der Open-Source-Community unterst\u00fctzen wir unsere Kunden dabei, die Vorteile freier Software sicher, stabil und effizient in ihrer IT-Umgebung zu nutzen.\",\"legalName\":\"credativ GmbH\",\"foundingDate\":\"2025-03-01\",\"duns\":\"316387060\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"11\",\"maxValue\":\"50\"},\"address\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"51.1732374\",\"longitude\":\"6.392010099999999\"},\"telephone\":[\"+4921619174200\",\"08002733284\"],\"contactPoint\":{\"@type\":\"ContactPoint\",\"telephone\":\"08002733284\",\"email\":\"vertrieb@credativ.de\"},\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\"],\"opens\":\"09:00\",\"closes\":\"17:00\"},{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Saturday\",\"Sunday\"],\"opens\":\"00:00\",\"closes\":\"00:00\"}],\"email\":\"info@credativ.de\",\"areaServed\":\"D-A-CH\",\"vatID\":\"DE452151696\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#\\\/schema\\\/person\\\/c8c9744720b793cf644cf92a6cc2e7af\",\"name\":\"Andr\u00e9 N\u00e4hring\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#local-main-place-address\",\"streetAddress\":\"Hennes-Weisweiler-Allee 23\",\"addressLocality\":\"M\u00f6nchengladbach\",\"postalCode\":\"41179\",\"addressRegion\":\"Deutschland\",\"addressCountry\":\"DE\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/using-freeipa-and-certmonger-with-ec-keys\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/credativ-logo-right.svg\",\"contentUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/credativ-logo-right.svg\",\"caption\":\"credativ\u00ae\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"M\u00f6nchengladbach\" \/>\n<meta name=\"geo.position\" content=\"51.1732374;6.392010099999999\" \/>\n<meta name=\"geo.region\" content=\"Germany\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Using FreeIPA and Certmonger with EC Keys - credativ\u00ae","description":"Update your FreeIPA profile and use Certmonger to exchange certificates with EC keys.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/","og_locale":"en_US","og_type":"article","og_title":"Using FreeIPA and Certmonger with EC Keys","og_description":"Update your FreeIPA profile and use Certmonger to exchange certificates with EC keys.","og_url":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/","og_site_name":"credativ\u00ae","article_publisher":"https:\/\/www.facebook.com\/credativDE\/","article_published_time":"2025-03-19T16:55:43+00:00","og_image":[{"width":800,"height":550,"url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2019\/07\/Portfolio-Loesungen.jpg","type":"image\/jpeg"}],"author":"Andr\u00e9 N\u00e4hring","twitter_card":"summary_large_image","twitter_creator":"@credativde","twitter_site":"@credativde","twitter_misc":{"Written by":"Andr\u00e9 N\u00e4hring","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#article","isPartOf":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/"},"author":{"name":"Andr\u00e9 N\u00e4hring","@id":"https:\/\/www.credativ.de\/en\/#\/schema\/person\/c8c9744720b793cf644cf92a6cc2e7af"},"headline":"Using FreeIPA and Certmonger with EC Keys","datePublished":"2025-03-19T16:55:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/"},"wordCount":878,"commentCount":0,"publisher":{"@id":"https:\/\/www.credativ.de\/en\/#organization"},"keywords":["certmonger","freeipa"],"articleSection":["HowTos"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#respond"]}],"copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/www.credativ.de\/#organization"}},{"@type":"WebPage","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/","url":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/","name":"Using FreeIPA and Certmonger with EC Keys - credativ\u00ae","isPartOf":{"@id":"https:\/\/www.credativ.de\/en\/#website"},"datePublished":"2025-03-19T16:55:43+00:00","description":"Update your FreeIPA profile and use Certmonger to exchange certificates with EC keys.","breadcrumb":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.credativ.de\/en\/"},{"@type":"ListItem","position":2,"name":"Using FreeIPA and Certmonger with EC Keys"}]},{"@type":"WebSite","@id":"https:\/\/www.credativ.de\/en\/#website","url":"https:\/\/www.credativ.de\/en\/","name":"credativ GmbH","description":"","publisher":{"@id":"https:\/\/www.credativ.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.credativ.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Organization","Place"],"@id":"https:\/\/www.credativ.de\/en\/#organization","name":"credativ\u00ae","url":"https:\/\/www.credativ.de\/en\/","logo":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#local-main-organization-logo"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/credativDE\/","https:\/\/x.com\/credativde","https:\/\/mastodon.social\/@credativde","https:\/\/www.linkedin.com\/company\/credativ-gmbh","https:\/\/www.instagram.com\/credativ\/"],"description":"Die credativ GmbH ist ein f\u00fchrendes, auf Open Source Software spezialisiertes IT-Dienstleistungs- und Beratungsunternehmen. Wir bieten umfassende und professionelle Services, von Beratung und Infrastruktur-Betrieb \u00fcber 24\/7 Support bis hin zu individuellen L\u00f6sungen und Schulungen. Unser Fokus liegt auf dem ganzheitlichen Management von gesch\u00e4ftskritischen Open-Source-Systemen, darunter Betriebssysteme (z.B. Linux), Datenbanken (z.B. PostgreSQL), Konfigurationsmanagement (z.B. Ansible, Puppet) und Virtualisierung. Als engagierter Teil der Open-Source-Community unterst\u00fctzen wir unsere Kunden dabei, die Vorteile freier Software sicher, stabil und effizient in ihrer IT-Umgebung zu nutzen.","legalName":"credativ GmbH","foundingDate":"2025-03-01","duns":"316387060","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"11","maxValue":"50"},"address":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"51.1732374","longitude":"6.392010099999999"},"telephone":["+4921619174200","08002733284"],"contactPoint":{"@type":"ContactPoint","telephone":"08002733284","email":"vertrieb@credativ.de"},"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday"],"opens":"09:00","closes":"17:00"},{"@type":"OpeningHoursSpecification","dayOfWeek":["Saturday","Sunday"],"opens":"00:00","closes":"00:00"}],"email":"info@credativ.de","areaServed":"D-A-CH","vatID":"DE452151696"},{"@type":"Person","@id":"https:\/\/www.credativ.de\/en\/#\/schema\/person\/c8c9744720b793cf644cf92a6cc2e7af","name":"Andr\u00e9 N\u00e4hring"},{"@type":"PostalAddress","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#local-main-place-address","streetAddress":"Hennes-Weisweiler-Allee 23","addressLocality":"M\u00f6nchengladbach","postalCode":"41179","addressRegion":"Deutschland","addressCountry":"DE"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/using-freeipa-and-certmonger-with-ec-keys\/#local-main-organization-logo","url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2025\/04\/credativ-logo-right.svg","contentUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2025\/04\/credativ-logo-right.svg","caption":"credativ\u00ae"}]},"geo.placename":"M\u00f6nchengladbach","geo.position":{"lat":"51.1732374","long":"6.392010099999999"},"geo.region":"Germany"},"_links":{"self":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts\/10255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/comments?post=10255"}],"version-history":[{"count":0,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts\/10255\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/media?parent=10255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/categories?post=10255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/tags?post=10255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}