Hi
I am using the IPA server as the CA for our Apache SSL's, but I am
wondering if it's possible to have a second SSL that's not the same as
the hostname, meaning I have already
sub1.mydomain.com but I would like
to add also
sub2.mydomain.com for another site, is this possible?
I have tried adding the hostname so ipa host-add
sub2.mydomain.com
then ipa service-add HTTP/sub2.mydomain.com, but when I do:
ipa-getcert request -K HTTP/sub2.mydomain.com -k
/ssl/sub2.mydomaincom.key -f /ssl/sub2.mydomain.com.csr
-N sub2.mydomain.com then ipa-getcert list says it fails with:
status: CA_REJECTED
ca-error: Server at
https://ipaserver.mydomain.com/ipa/json denied our
request, giving up: 2100 (Insufficient access: Insufficient 'write'
privilege to the 'userCertificate' attribute of entry
'krbprincipalname=HTTP/sub2.mydomain.com(a)MYDOMAIN.COM,cn=services,cn=accounts,dc=mydomain,dc=com'.)
How can I resolve this?
certmonger (ipa-getcert) uses the credentials in /etc/krb5.conf on the
machine to authentication. By default it can only request certificates
for its own hostname.
You can use ipa service-add-host to add the host to the new service name.
Additionally, do you need a completely separate certificate or do you
want to add a SAN to the existing one? To do that you'd run:
ipa-getcert resubmit -D HTTP/your_new_hostname -i <id_of_request>
rob