Bret Wortman via FreeIPA-users wrote:
> We have some ESXi boxes that need CA-signed certs and we're
trying to
> figure out how to properly construct a CSR so that our IPA CA will
> process it.
>
> I'm having them create the cert using these commands:
>
> # certutil -R -d $PATH_TO_DB -a -g 2048 -s "CN=${FQDN},O=MY.NET" -i
> ${SHORTHOSTNAME},${FQDN}
I think you mean -8 and not -i right?
> and when I take the resulting file and try to sign it in the GUI,
I
> get a 903 error. When I try from the command-line, I get prompted for
> the principal, which might be the problem since I'm not sure what it
> would be:
>
> # ipa cert-request my.csr
> Principal:
>
> Has anyone done this, or is it never going to work since the target
> system isn't actually an IPA client?
A 903 is an internal error so there should be more info in
/var/log/httpd/error_log.
For this to work you need to:
- pre-create the host in IPA
- if you are going to use any service principal other than host/ then
pre-create the service as well
- allow the IPA machine that you are requesting the cert on to manage
that service.
This is also described in
https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-...
with some additional details.
rob