I'm having some trouble getting sub-ca signed certificates issued and managed
by certmonger. The implementation here
[https://www.freeipa.org/page/V4/Sub-CAs] describes how that should work. I see
that the -X option can be passed to ipa-getcert to specify the issuer, but
every time I create a request with -X specified I get an error.
Steps to reproduce:
1. Create a new CA named "Test" through the FreeIPA web UI.
2. Run the following on a host enrolled in freeIPA:
ipa-getcert request -k /root/test.key -f /root/test.crt -I "testrequest" -X
"Test"
3. Run ipa-getcert list and receive the an error message:
Request ID 'test':
status: CA_REJECTED
ca-error: Server at https://ipa02.yyy.com/ipa/xml failed request, will
retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx
response from CA REST API: 500. ).
stuck: yes
key pair storage: type=FILE,location='/root/test.key'
certificate: type=FILE,location='/root/test.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Running FreeIPA 4.6.4
Thanks for the help!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
