Thanks, Rob. I’ll give it another try in the morning and let you know how it goes. And yes, -8. Keyboard error.
On 25 Feb 2019, at 15:56, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
We have some ESXi boxes that need CA-signed certs and we're trying to
figure out how to properly construct a CSR so that our IPA CA will
process it.
I'm having them create the cert using these commands:
# certutil -R -d $PATH_TO_DB -a -g 2048 -s "CN=${FQDN},O=MY.NET" -i
${SHORTHOSTNAME},${FQDN}I think you mean -8 and not -i right?
and when I take the resulting file and try to sign it in the GUI, I
get a 903 error. When I try from the command-line, I get prompted for
the principal, which might be the problem since I'm not sure what it
would be:
# ipa cert-request my.csr
Principal:
Has anyone done this, or is it never going to work since the target
system isn't actually an IPA client?A 903 is an internal error so there should be more info in
/var/log/httpd/error_log.
For this to work you need to:
- pre-create the host in IPA
- if you are going to use any service principal other than host/ then
pre-create the service as well
- allow the IPA machine that you are requesting the cert on to manage
that service.
This is also described in
https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-my-web-site-with-ipa/
with some additional details.
robphoto
*Bret Wortman*
Founder, Damascus Products, LLC
855-644-2783 <tel:855-644-2783> | bret@wrapbuddies.co
<mailto:bret@wrapbuddies.co>
http://wrapbuddies.co/
70 Main St. Suite 23 Warrenton, VA 20186
<http://facebook.com/wrapbuddiesco>
<http://www.linkedin.com/in/bretwortman>
<http://twitter.com/wrapbuddiesco> <http://instagram.com/wrapbuddies>
photo
*Bret Wortman*
Founder, Damascus Products, LLC
855-644-2783 <tel:855-644-2783> | bret@wrapbuddies.co
<mailto:bret@wrapbuddies.co>
http://wrapbuddies.co/
<http://link.wisestamp.com/wf/click?upn=Gjsa-2BFCSunt9pf0TgWHHLiysuQa4Ukv-2BkPkFCiKTJ0s-3D_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4AqJnNKaxrt8YsBWB-2BYv2bsjV2mRyALVNUvStAVyENhke0FLtIXq0DtKLFp52km6gdVt5gIXzf-2Fw6wL0-2FVkrhBYbF4-2BeCYG22jqPm2blqPLX3yKImaHbkvhjMtRJY1x1PWP-2B9ajmPhXc6Q4aRoL66-2FMSNVx7CmekJdRgDc1i692UP9Whj2ad1kwbpOjdXNOn5ibKRti02eOtTuWLgovmnSVq8gHeG6ZqkulatIOfbEHcpg-3D-3D>
70 Main St. Suite 23 Warrenton, VA 20186 <x-apple-data-detectors://3>
<http://link.wisestamp.com/wf/click?upn=vpKJERi1tY7PB5Tngc96AybWG2oBJjuIZXUnsw1N4z5o31wAARdngqurchPNjg3N_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4AqJnNKaxrt8YsBWB-2BYv2bsjV2mRyALVNUvStAVyENhke1vjU6o7xQGP-2BGzUR27UuIY2GAu5NHqyyvV40vTRWA6I2BnlpZjNvWGuFVfQYs4j-2FIA-2Fp-2FBKLQsK-2FC60OljawZlbUKYvSHJ2vqkmF3OPUdRYWEE-2FM3H-2Ffe6bjlsmWxVeyvJgyWDOr-2FezhQLzMdg80fYO-2FTuPzoYfBxnNGQ6mNaJ4Hu2R5zwaDTgua6HmA-2B09sg-3D-3D>
<http://link.wisestamp.com/wf/click?upn=JpWBgyEnwHH-2BZ-2F6q0khuJNj3-2BOPwXU204ZX623JVNB3sEJ9QbsPPq9gWpz71oDUM_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4AqJnNKaxrt8YsBWB-2BYv2bsjV2mRyALVNUvStAVyENhkewX7PafcZVEBicpwmDKtHqNqTZvupoiZnlzDeCMqJUKuxsqZV0fxkj2pR2-2FN4wHYxOz2635AZKgWjdLwXGsTJEIFtMxpFWy2s5qEJ6iA1C1eK1h4h3NzCyCEzXkla38CGhOai87X9BNmmW0W3Z6mxJYOxafy9bV5M8ViL-2Fc8nhDQEUwmHjK65ETJexcJy1ElYw-3D-3D>
<http://link.wisestamp.com/wf/click?upn=frqkw0-2BXQfUAqxIenKLOlNVUb3mQcTCczCfpPsp-2FU5YgIibCsyWQLvHEUyKIadlh_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4AqJnNKaxrt8YsBWB-2BYv2bsjV2mRyALVNUvStAVyENhke-2Fnb74rlxI4RtjP-2FTQFIBXhme3w2u-2FYqdmOEIpKxlRzFeicTWx8DZL20HGaDmNPJILRvlHhn3yReYNcSRSe-2FgO-2BvRxiO0ofJNh4ESWM6qdvqk-2Bx9B7-2B8QNOg-2BjWnFSfUoC9inj3bMdBhQlBWE6uGlPLiIdNYkokKKjQS5paTOmSdvgzwWPJ83kyiwHBtb-2B-2FpNw-3D-3D>
<http://link.wisestamp.com/wf/click?upn=LgCARJHnjtd3UE8bx6jzptjNRyekl8Pvwy5-2FHDn1-2FaQzqpk0QaN2M0cExN-2BbGi6s_4AlNZbcVaMIZvejNZI-2Bx7D3hQosPA6YtG9epbV4F4AqJnNKaxrt8YsBWB-2BYv2bsjV2mRyALVNUvStAVyENhkeze9lCytTK8E8hLfm9vghksv5Ok4L-2FCFJXkPF6Q0QVfAV6El7jssDAuXjyuRZf7r6ZMsVGNCqHmwnjXBsqf1Dz3hXdQu0sG1Sqf-2FfJ8RmEKuQGAbqjM8k2Xo-2Fe4pK3HjRBvVNBulJOwYpu72nu33hU1Wm6yLidz9Z8FIwMuIDTiNmVjC0v6uxmQYIcOHh772AQ-3D-3D>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
|