Thanks, Rob. I'm a lot closer now.
What I'm getting now looks like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
--principal=HTTP/$HOST $DB/$HOST.csr
IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in certificate
request does not exist
What we've done before is set up each system with its FQDN and just its
hostname (and some have other aliases as well). Is that what's causing a
problem?
I've looked for documentation on the ipa cert-request command but can't seem to
find anything.
Bret Wortman
Founder, Damascus Products, LLC
855-644-2783 (tel:855-644-2783) | b...@wrapbuddies.co
(https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/0?redirect=mailto%3Abret%40wrapbuddies.co&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn)
http://wrapbuddies.co/
(https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn)
70 Main St. Suite 23 Warrenton, VA 20186
On Apr 11 2019, at 11:31 am, Rob Crittenden <rcrit...@redhat.com> wrote:
> Bret Wortman via FreeIPA-users wrote:
> > I know I can paste a CSR from one of our servers into the GUI and
> > generate a new cert, but how can I do this from a command line?
> >
> > I've been working with this:
> > # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
> Add the --add option to create the principal if it doesn't already exist
> (assuming your kerberos principal has rights to add one).
>
> You can make this all automatic with something like:
> # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
> --principal=HTTP/$HOST $DB/$HOST.csr
>
> No kinit needed.
> > But that's giving me an error that the principal doesn't exist. Then
> > (admittedly, I picked up this command from a discussion I found):
> >
> > # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
> > How do I get the serial number?
> > Basically, I'm trying to wrap and automate the process of granting a new
> > cert to a server.
>
>
> The serial number will be in the output from the cert-request command,
> twice actually: one decimal, one hex.
>
> You can do it hackily via something like:
> SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request
> --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number:
> " | cut -d: -f2)
>
> Though that won't catch errors. You can also do a service-show
> HTTP/$HOST to get the serial number.
>
> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
