Bret Wortman via FreeIPA-users wrote: > I know I can paste a CSR from one of our servers into the GUI and > generate a new cert, but how can I do this from a command line? > > I've been working with this: > > # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
Add the --add option to create the principal if it doesn't already exist (assuming your kerberos principal has rights to add one). You can make this all automatic with something like: # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr No kinit needed. > But that's giving me an error that the principal doesn't exist. Then > (admittedly, I picked up this command from a discussion I found): > > # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem > > How do I get the serial number? > > Basically, I'm trying to wrap and automate the process of granting a new > cert to a server. The serial number will be in the output from the cert-request command, twice actually: one decimal, one hex. You can do it hackily via something like: SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number: " | cut -d: -f2) Though that won't catch errors. You can also do a service-show HTTP/$HOST to get the serial number. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org