[Freeipa-users] Ca signed very for non-IPA client

We have some ESXi boxes that need CA-signed certs and we're trying to figure out how to properly construct a CSR so that our IPA CA will process it. I'm having them create the cert using these commands: # certutil -R -d $PATH_TO_DB -a -g 2048 -s "CN=${FQDN},O=MY.NET" -i ${SHORTHOSTNAME},${FQDN} and when I take the resulting file and try to sign it in the GUI, I get a 903 error. When I try from the command-line, I get prompted for the principal, which might be the problem since I'm not sure what it would be: # ipa cert-request my.csr Principal: Has anyone done this, or is it never going to work since the target system isn't actually an IPA client? Bret Wortman Founder, Damascus Products, LLC 855-644-2783 | bret(a)wrapbuddies.co http://wrapbuddies.co/ 70 Main St. Suite 23 Warrenton, VA 20186