[Freeipa-users] Re: external cert sign request - how to sign?

Fri, 14 Feb 2020 02:15:53 -0800 

On pe, 14 helmi 2020, Florence Blanc-Renaud via FreeIPA-users wrote:

On 2/14/20 9:39 AM, lejeczek via FreeIPA-users wrote:

On 13/02/2020 14:46, Fraser Tweedale wrote:

On Thu, Feb 13, 2020 at 11:59:34AM +0000, lejeczek via FreeIPA-users
wrote:

hi everyone,

how, if possible at, to have IPA sing a cert sign request which is
not part of IPA's domain/realm?

many thanks, L.


You sure can.  Just add the host principal for the name you want,
and use it as the subject principal.  The same operator
authorisation and CA ACLs enforcement is applied for every
certificate request, whether the subject DNS name is within the IPA
domain or not.

Cheers,
Fraser


okey, would you correct whatever my wrongdoing here was?

$ ipa dnsrecord-add  dracownia.nr. idrac-HV2315J-rider --a-rec=192.168.2.11

$ ipa host-add idrac-941415J-swir.dracownia.nr

$ ipa service-add http/idrac-941415J-swir.dracownia.nr

$ ipa service-add-host --hosts=idrac-941415J-swir.dracownia.nr
http/idrac-941415J-swir.dracownia.nr

$ ipa cert-request idrac-941415J-swir.csr
--principal=http/idrac-941415J-swir.dracownia.nr
ipa: ERROR: invalid 'csr': hostname in subject of request
'idrac-941415J-swir' does not match name or aliases of principal
'http/idrac-941415J-swir.dracownia.nr@IPA_DOMAIN'
It looks like the CSR contains a hostname not fully qualified in its subject. You can check with: 
$ openssl req -noout -text -in idrac-941415J-swir.csr


Correct. Also, browsers will expect a service principal starting with
HTTP/..., not http/... -- the case matters!

So you should create a proper principal first and also re-generate your
CSR.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to