2:56 p.m.
Bret Wortman via FreeIPA-users wrote:
> We have some ESXi boxes that need CA-signed certs and we're
trying to
> figure out how to properly construct a CSR so that our IPA CA will
> process it.
>
> I'm having them create the cert using these commands:
>
> # certutil -R -d $PATH_TO_DB -a -g 2048 -s "CN=${FQDN},O=MY.NET" -i
> ${SHORTHOSTNAME},${FQDN}
I think you mean -8 and not -i right?
> and when I take the resulting file and try to sign it in the GUI,
I
> get a 903 error. When I try from the command-line, I get prompted for
> the principal, which might be the problem since I'm not sure what it
> would be:
>
> # ipa cert-request my.csr
> Principal:
>
> Has anyone done this, or is it never going to work since the target
> system isn't actually an IPA client?
A 903 is an internal error so there should be more info in
/var/log/httpd/error_log.
For this to work you need to:
- pre-create the host in IPA
- if you are going to use any service principal other than host/ then
pre-create the service as well
- allow the IPA machine that you are requesting the cert on to manage
that service.
This is also described in
https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-...
with some additional details.
rob
>
> photo
> *Bret Wortman*
> Founder, Damascus Products, LLC
>
> 855-644-2783 <tel:855-644-2783> | bret@wrapbuddies.co
> <mailto:bret@wrapbuddies.co>
>
> http://wrapbuddies.co/
>
> 70 Main St. Suite 23 Warrenton, VA 20186
>
> <http://facebook.com/wrapbuddiesco>
> <http://www.linkedin.com/in/bretwortman>
> <http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies>
>
photo
*Bret Wortman*
Founder, Damascus Products, LLC
855-644-2783 <tel:855-644-2783> | bret@wrapbuddies.co
<mailto:bret@wrapbuddies.co>
http://wrapbuddies.co/
<http://link.wisestamp.com/wf/click?upn=Gjsa-2BFCSunt9pf0TgWHHLiysuQa4Ukv-...
70 Main St. Suite 23 Warrenton, VA 20186 <x-apple-data-detectors://3>
<http://link.wisestamp.com/wf/click?upn=vpKJERi1tY7PB5Tngc96AybWG2oBJjuIZX...
<http://link.wisestamp.com/wf/click?upn=JpWBgyEnwHH-2BZ-2F6q0khuJNj3-2BOPw...
<http://link.wisestamp.com/wf/click?upn=frqkw0-2BXQfUAqxIenKLOlNVUb3mQcTCc...
<http://link.wisestamp.com/wf/click?upn=LgCARJHnjtd3UE8bx6jzptjNRyekl8Pvwy...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...