I need to create a new certificate for my Asus router. The router is not part of freeipa domain so I need to manually update the certificate when it expires.

getcert request -k /etc/pki/router_private -f /etc/pki/router_cert -D router.my.lan -N "cn=router.my.lan" -K http/router.my.lan -c IPA

then getcert list shows this:

Request ID '20170722085458':

status: CA_REJECTED

ca-error: Server at https://ipa.my.lan/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/router.my.lan@MY.LAN,cn=services,cn=accounts,dc=my,dc=lan'.).

stuck: yes

key pair storage: type=FILE,location='/etc/pki/router_private'

certificate: type=FILE,location='/etc/pki/router_cert'

CA: IPA

issuer: 

subject: 

expires: unknown

pre-save command: 

post-save command: 

track: yes

auto-renew: yes

I then removed the existing HTTP/router.my.lan principal but then I get:

ca-error: Server at https://ipa.win.lan/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=http/router.my.lan@MY.LAN,cn=services,cn=accounts,dc=my,dc=lan'.).

Any hints on how I create the certificate?

-- john