Hide Forgot
Description of problem: certmonger issues files in PKCS #8 format by default on RHEL 6 (5 as well I believe but haven't tested) hosts, when tied in via IPA to a PKI infrastructure that means all you are getting is PKCS #8 format (unless there are controls in certmonger I am overlooking). Programs such as rsyslog can't handle PKCS#8 format, because the version of gnutls in RHEL 6 doesn't support automatic handling of those certificates. This problem was fixed in gnutls 2.12.0, so a backport would be necessary. Or certmonger needs to be fixed to allow the default format to be changed. Version-Release number of selected component (if applicable): gnutls-2.8.5-4.el6.x86_64 certmonger-0.50-3.el6.x86_64 How reproducible: Use ipa-getcert or any other cermonger front end (selfsign-getcert works as well) to generate a key and a certificate. Attempt to load said items with a program like rsyslog, rsyslog will no longer crash (that bug was fixed) but it won't be able to open the certificates (actually just the key is the problem). A bit of a reference is this thread: https://lists.gnu.org/archive/html/help-gnutls/2011-10/msg00004.html
gbutls-cli also works as a good test of how it (erm) doesn't work: gnutls-cli --x509cafile /etc/pki/certmaster/ca.cert --x509keyfile foo.example.com.pem --x509certfile foo.example.com.cert -p 514 bar.example.com Make sure the key file is in pkcs 8 format.
*** This bug has been marked as a duplicate of bug 745242 ***