iam pollux via FreeIPA-users wrote: > Hello, > > I have: > - a CA with Freeipa > - a sub CA with Freeipa too > - a server with certmonger installed on and connected to the sub CA > - an external client without freeipa neither Certmonger. > > CA, sub CA and server are on the same realm: domaine.fr > The external client is on a different realm: newdomaine.fr > > My goal is to generate a certificate for the external client. > > So, with the web ui in the sub ca, i've added the DNS zone newdomaine.fr and > the host external.domaine.fr . > > From the server when i run the command below: > > ipa-getcert request -v -f /etc/pki/tls/certs/externe.crt -k > /etc/pki/tls/private/externe.key -N CN=externe.domaine.fr -D > externe.newdomaine.fr -K host/externe.newdomaine...@sub.domaine.fr -I externe > > i get the result is: > Request ID 'externe': > status: CA_REJECTED > ca-error: Server at https://subca.domaine.fr/ipa/xml denied our > request, giving up: 2100 (RPC failed at server. Insufficient access: > Insufficient 'write' privilege to the 'userCertificate' attribute of entry > 'fqdn=externe.newdomaine.fr,cn=computers,cn=accounts,dc=sub,dc=domaine,dc=fr'.). > > I don't understand because the host is added. > Could you explain to me how to fix that please?
certmonger executes using the host principal of the machine it is running on. By default a host can only issue certs for itself or for its own services. You can grant permissions for a host to issue certificates for another host or service. This is covered towards the end of https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-my-web-site-with-ipa/ rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org