On 13/02/2020 14:46, Fraser Tweedale wrote: > On Thu, Feb 13, 2020 at 11:59:34AM +0000, lejeczek via FreeIPA-users > wrote: >> hi everyone, >> >> how, if possible at, to have IPA sing a cert sign request which is >> not part of IPA's domain/realm? >> >> many thanks, L. >> > You sure can. Just add the host principal for the name you want, > and use it as the subject principal. The same operator > authorisation and CA ACLs enforcement is applied for every > certificate request, whether the subject DNS name is within the IPA > domain or not. > > Cheers, > Fraser > okey, would you correct whatever my wrongdoing here was?
$ ipa dnsrecord-add dracownia.nr. idrac-HV2315J-rider --a-rec=192.168.2.11 $ ipa host-add idrac-941415J-swir.dracownia.nr $ ipa service-add http/idrac-941415J-swir.dracownia.nr $ ipa service-add-host --hosts=idrac-941415J-swir.dracownia.nr http/idrac-941415J-swir.dracownia.nr $ ipa cert-request idrac-941415J-swir.csr --principal=http/idrac-941415J-swir.dracownia.nr ipa: ERROR: invalid 'csr': hostname in subject of request 'idrac-941415J-swir' does not match name or aliases of principal 'http/idrac-941415J-swir.dracownia.nr@IPA_DOMAIN' I believe it's trivial but before I play it all out you, I'm sure, can point the silly mistakes and oversights already. many thanks, L.
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
