Ian Pilcher wrote:
> On 01/30/2018 02:27 PM, Rob Crittenden wrote:
>> Not sure what you mean by arbitrary. You can definitely generate a CSR
>> using your favorite tool and pass that to ipa cert-request.
>
> By arbitrary I meant a CSR/certificate that doesn't correspond to a host
> (or user) that is managed by the FreeIPA server.  In my situation, I
> would like to sign TLS certificates for several of my network switches,
> wireless access points, etc., none of which can be enrolled as IPA
> hosts.
>

I see. Well, technically a host/service/whatever doesn't need to be
enrolled to get a cert it just needs a presence within IPA. Basically a
bucket into which to drop the cert for tracking.

So you can do this:

$ ipa host-add router.example.com
$ openssl ...
$ ipa cert-request host/router.example.com ...

I realize even this can seem a bit overbearing when you just want a cert
but given that IPA tries to be the central authority on things it made
sense to make it know about all issued certs as well.

That and my fear that if the requirement was relaxed an intruder,
disgruntled admin, whatever who got IPA admin rights could really do
some nasty things (e.g. add a DNS record for yourbank.com, get a valid,
trusted cert for it, etc).

rob

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org