Per Qvindesland via FreeIPA-users wrote:

Hi 

I am using the IPA server as the CA for our Apache SSL's, but I am

wondering if it's possible to have  a second SSL that's not the same as

the hostname, meaning I have already sub1.mydomain.com but I would like

to add also sub2.mydomain.com for another site, is this possible?

I have tried adding the hostname so ipa host-add sub2.mydomain.com

then ipa service-add HTTP/sub2.mydomain.com, but when I do:

ipa-getcert request -K HTTP/sub2.mydomain.com -k

/ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr

-N sub2.mydomain.com then ipa-getcert list says it fails with:

status: CA_REJECTED

ca-error: Server at https://ipaserver.mydomain.com/ipa/json denied our

request, giving up: 2100 (Insufficient access: Insufficient 'write'

privilege to the 'userCertificate' attribute of entry

'krbprincipalname=HTTP/sub2.mydomain.com@MYDOMAIN.COM,cn=services,cn=accounts,dc=mydomain,dc=com'.)

How can I resolve this? 

certmonger (ipa-getcert) uses the credentials in /etc/krb5.conf on the
machine to authentication. By default it can only request certificates
for its own hostname.

You can use ipa service-add-host to add the host to the new service name.

Additionally, do you need a completely separate certificate or do you
want to add a SAN to the existing one? To do that you'd run:

ipa-getcert resubmit -D HTTP/your_new_hostname -i <id_of_request>

rob