Alexander Bokovoy via FreeIPA-users wrote:
> On to, 08 elo 2019, Christian Reiss via FreeIPA-users wrote:
>> Hey folks,
>>
>> Really quick question. If a host, say web01.example.com is online, in
>> IPA et all but serving supremecustomer.com and I would need a
>> (ipa-signed, which suffices) cert, would this be the right way?
>>
>> Assumptions: - All commands executed on web01.example.com
>>             - /etc/ssl/ipa & perms are OK.
>>
>> cert="supremecustomer.com"
>> ipa host-add ${cert} --desc="Dummy Host / ${cert}"
>> --location="$(hostname -f)"
>> ipa host-add-managedby ${cert} --hosts="$(hostname -f)"
>> ipa service-add HTTP/${cert}
>> ipa service-add-host HTTP/${cert} --hosts="$(hostname -f)"
>> ipa-getcert request -r -f /etc/ssl/ipa/${cert}.crt -k
>> /etc/ssl/ipa/${cert}.key -N CN=${cert} -D ${cert} -K HTTP/${cert}
>> chown root:nginx /etc/ssl/ipa/${cert}.{key,crt}
>> chmod 0640 /etc/ssl/ipa/${cert}.{key,crt}
>>
>>
>> Is this still the way to go? Is there a way around "One dummy host per
>> SNI Certificate" in any way?
> Since FreeIPA 4.7.0 you can add a service without host, by using
> --skip-host-check.
> 
> This would work for RHEL 8.x and Fedora 29+.
> 
> For older systems you still need a managing host.
> 

Right. Something in IPA needs to show you have permission to issue
certificates for a given object.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to