On 07/12/2017 12:50 PM, John Morris via FreeIPA-users wrote:
Is it possible to use certmonger to request a cert from a FreeIPA
sub-CA? What is the `ipa-getcert request` command-line usage for that?
The certmonger man-pages seem to indicate the `ipa-getcert request -X
ISSUER` argument. However I've been unable to find usage examples, and
using neither the ipa sub-CA's name nor subject DN for ISSUER seem to work.
I'm not sure what changed, but the `-X sub-CA-name` arg started working
suddenly. Very nice!
Sadly, the `-F ca-cert-file-path` arg only gets the top-level CA cert,
and not the sub-CA cert. But that can be worked around. Thanks-
John