Can I use freeipa certificates for systemd-journal-remote and systemd-journal-upload?

Hello,

I had a Smoothwall 3.1 firewall running for about 20 years that bit the dust last week. I’ve replaced it with an f40 server system with 4 NICs (internal LAN/wifi, dmz, home automation and external cable modem). I’ve got things working for the most part, using source address specified on the three private NICs and masquerading on the external NIC. The external NIC is a 2.5Gbit card that wasn’t inherently supported on smoothie, so I decided to just install Fedora on the replacement firewall.

I believe I have everything converted correctly from iptables to firewalld. This does let me retire rsyslogd and switch to systemd-journal-remote and systemd-journal-upload. My question is can I use the freeipa certificate located in /etc/pki/tls/cert.pem as the systemd-journal-remote and systemd-journal-upload ServerCertificateFile= key value? If so, how do I get the key file out of NSS?

I’ve done an initial test with self-signed, but upload fails to connect because it’s self-signed. I’d ideally prefer being able to use the FreeIPA client certificates for the journal transfers, but if that’s not practical, do I need to create a FreeIPA service certificate just for the upload-remote host (central server) or do I have to create service certs for all hosts?

Thanks,
Eric

FreeIPA already contains a CA. I’m not interested in having to maintain a second CA for logging.

1 Like

Yes, you can, I don’t see a problem. Make sure your hosts trust IPA CA chains. Both services accept --key/–cert/–trust options to specify certificate key, public cert and the trust chain.

I’m traveling until next week so cannot really try myself before that but let me know if it doesn’t work and what specific failure do you see.