[Freeipa-users] Re: external cert sign request - how to sign?

Florence Blanc-Renaud via FreeIPA-users Fri, 14 Feb 2020 02:10:27 -0800

On 2/14/20 9:39 AM, lejeczek via FreeIPA-users wrote:

On 13/02/2020 14:46, Fraser Tweedale wrote:

On Thu, Feb 13, 2020 at 11:59:34AM +0000, lejeczek via FreeIPA-users
wrote:

hi everyone,


how, if possible at, to have IPA sing a cert sign request which is
not part of IPA's domain/realm?

many thanks, L.

You sure can.  Just add the host principal for the name you want,
and use it as the subject principal.  The same operator
authorisation and CA ACLs enforcement is applied for every
certificate request, whether the subject DNS name is within the IPA
domain or not.

Cheers,
Fraser

okey, would you correct whatever my wrongdoing here was?

$ ipa dnsrecord-add  dracownia.nr. idrac-HV2315J-rider --a-rec=192.168.2.11

$ ipa host-add idrac-941415J-swir.dracownia.nr

$ ipa service-add http/idrac-941415J-swir.dracownia.nr

$ ipa service-add-host --hosts=idrac-941415J-swir.dracownia.nr
http/idrac-941415J-swir.dracownia.nr

$ ipa cert-request idrac-941415J-swir.csr
--principal=http/idrac-941415J-swir.dracownia.nr
ipa: ERROR: invalid 'csr': hostname in subject of request
'idrac-941415J-swir' does not match name or aliases of principal
'http/idrac-941415J-swir.dracownia.nr@IPA_DOMAIN'

It looks like the CSR contains a hostname not fully qualified in itssubject. You can check with:

$ openssl req -noout -text -in idrac-941415J-swir.csr

flo

I believe it's trivial but before I play it all out you, I'm sure, can
point the silly mistakes and oversights already.

many thanks, L.


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: external cert sign request - how to sign?

Reply via email to