subject:"\[Freeipa\-users\] Re\: How to grant CSR from command line"

[Freeipa-users] Re: How to grant CSR from command line

2019-04-11 Thread Rob Crittenden via FreeIPA-users

Bret Wortman via FreeIPA-users wrote:
> I know I can paste a CSR from one of our servers into the GUI and
> generate a new cert, but how can I do this from a command line?
> 
> I've been working with this:
> 
> # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr

Add the --add option to create the principal if it doesn't already exist
(assuming your kerberos principal has rights to add one).

You can make this all automatic with something like:

# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
--principal=HTTP/$HOST $DB/$HOST.csr

No kinit needed.

> But that's giving me an error that the principal doesn't exist. Then
> (admittedly, I picked up this command from a discussion I found):
> 
> # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
> 
> How do I get the serial number?
> 
> Basically, I'm trying to wrap and automate the process of granting a new
> cert to a server.

The serial number will be in the output from the cert-request command,
twice actually: one decimal, one hex.

You can do it hackily via something like:

SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab  ipa cert-request
--principal bar/`hostname` /tmp/csr  --add  2>&1 | grep "Serial number:
" | cut -d: -f2)

Though that won't catch errors. You can also do a service-show
HTTP/$HOST to get the serial number.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to grant CSR from command line

2019-04-11 Thread Bret Wortman via FreeIPA-users

Thanks, Rob. I'm a lot closer now.

What I'm getting now looks like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add 
--principal=HTTP/$HOST $DB/$HOST.csr
IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in certificate 
request does not exist

What we've done before is set up each system with its FQDN and just its 
hostname (and some have other aliases as well). Is that what's causing a 
problem?
I've looked for documentation on the ipa cert-request command but can't seem to 
find anything.

Bret Wortman
Founder, Damascus Products, LLC

855-644-2783 (tel:855-644-2783) | b...@wrapbuddies.co 
(https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/0?redirect=mailto%3Abret%40wrapbuddies.co&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn)

http://wrapbuddies.co/ 
(https://link.getmailspring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn)

70 Main St. Suite 23 Warrenton, VA 20186

On Apr 11 2019, at 11:31 am, Rob Crittenden  wrote:
> Bret Wortman via FreeIPA-users wrote:
> > I know I can paste a CSR from one of our servers into the GUI and
> > generate a new cert, but how can I do this from a command line?
> >
> > I've been working with this:
> > # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
> Add the --add option to create the principal if it doesn't already exist
> (assuming your kerberos principal has rights to add one).
>
> You can make this all automatic with something like:
> # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
> --principal=HTTP/$HOST $DB/$HOST.csr
>
> No kinit needed.
> > But that's giving me an error that the principal doesn't exist. Then
> > (admittedly, I picked up this command from a discussion I found):
> >
> > # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
> > How do I get the serial number?
> > Basically, I'm trying to wrap and automate the process of granting a new
> > cert to a server.
>
>
> The serial number will be in the output from the cert-request command,
> twice actually: one decimal, one hex.
>
> You can do it hackily via something like:
> SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request
> --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number:
> " | cut -d: -f2)
>
> Though that won't catch errors. You can also do a service-show
> HTTP/$HOST to get the serial number.
>
> rob___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to grant CSR from command line

2019-04-11 Thread Rob Crittenden via FreeIPA-users

Bret Wortman via FreeIPA-users wrote:
> Thanks, Rob. I'm a lot closer now.
> 
> What I'm getting now looks like:
> 
> # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
> --principal=HTTP/$HOST $DB/$HOST.csr
> IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in
> certificate request does not exist
> 
> What we've done before is set up each system with its FQDN and just its
> hostname (and some have other aliases as well). Is that what's causing a
> problem?
> 
> I've looked for documentation on the ipa cert-request command but can't
> seem to find anything.

IPA requires that every hostname in a cert exist in IPA (so you don't
request a SAN for a host you don't own). In this case it is looking for
HTTP/ which I presume doesn't exist.

You can try forcing the creation with:

$ ipa service-add HTTP/ --force

rob

> 
> 
> photo 
> *Bret Wortman*
> Founder, Damascus Products, LLC
> 
> 855-644-2783  | b...@wrapbuddies.co
> 
> 
> http://wrapbuddies.co/
> 
> 
> 70 Main St. Suite 23 Warrenton, VA 20186
> 
> 
>   
> 
>  
> 
>  
> 
>  
> 
> On Apr 11 2019, at 11:31 am, Rob Crittenden  wrote:
> 
> Bret Wortman via FreeIPA-users wrote:
> 
> I know I can paste a CSR from one of our servers into the GUI and
> generate a new cert, but how can I do this from a command line?
> 
> I've been working with this:
> 
> # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
> 
> 
> Add the --add option to create the principal if it doesn't already exist
> (assuming your kerberos principal has rights to add one).
> 
> You can make this all automatic with something like:
> 
> # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
> --principal=HTTP/$HOST $DB/$HOST.csr
> 
> No kinit needed.
> 
> But that's giving me an error that the principal doesn't exist. Then
> (admittedly, I picked up this command from a discussion I found):
> 
> # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
> 
> How do I get the serial number?
> 
> Basically, I'm trying to wrap and automate the process of
> granting a new
> cert to a server.
> 
> 
> The serial number will be in the output from the cert-request command,
> twice actually: one decimal, one hex.
> 
> You can do it hackily via something like:
> 
> SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request
> --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number:
> " | cut -d: -f2)
> 
> Though that won't catch errors. You can also do a service-show
> HTTP/$HOST to get the serial number.
> 
> rob
> 
> Sent from Mailspring
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to grant CSR from command line

2019-04-11 Thread Bret Wortman via FreeIPA-users

I should have realized that. We'll just stick with FQDNs from now on.

I adjusted my wrapper and now it runs to completion and does what we expect. 
Thanks, Rob!

Bret Wortman
Founder, Damascus Products, LLC

855-644-2783 (tel:855-644-2783) | b...@wrapbuddies.co 
(https://link.getmailspring.com/link/41d794c0-a0a5-4dcc-a9d8-78bcb4a71...@getmailspring.com/0?redirect=mailto%3Abret%40wrapbuddies.co&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn)

http://wrapbuddies.co/ 
(https://link.getmailspring.com/link/41d794c0-a0a5-4dcc-a9d8-78bcb4a71...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn)

70 Main St. Suite 23 Warrenton, VA 20186

On Apr 11 2019, at 1:47 pm, Rob Crittenden  wrote:
> Bret Wortman via FreeIPA-users wrote:
> > Thanks, Rob. I'm a lot closer now.
> >
> > What I'm getting now looks like:
> > # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
> > --principal=HTTP/$HOST $DB/$HOST.csr
> > IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in
> > certificate request does not exist
> >
> > What we've done before is set up each system with its FQDN and just its
> > hostname (and some have other aliases as well). Is that what's causing a
> > problem?
> >
> > I've looked for documentation on the ipa cert-request command but can't
> > seem to find anything.
>
>
> IPA requires that every hostname in a cert exist in IPA (so you don't
> request a SAN for a host you don't own). In this case it is looking for
> HTTP/ which I presume doesn't exist.
>
> You can try forcing the creation with:
> $ ipa service-add HTTP/ --force
> rob
> >
> >
> > photo
> > *Bret Wortman*
> > Founder, Damascus Products, LLC
> >
> > 855-644-2783  | b...@wrapbuddies.co
> > 
> >
> > http://wrapbuddies.co/
> > 
> >
> > 70 Main St. Suite 23 Warrenton, VA 20186
> > 
> > 
> >  
> > 
> >  
> > 
> >
> > On Apr 11 2019, at 11:31 am, Rob Crittenden  wrote:
> > Bret Wortman via FreeIPA-users wrote:
> > I know I can paste a CSR from one of our servers into the GUI and
> > generate a new cert, but how can I do this from a command line?
> >
> > I've been working with this:
> > # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
> >
> > Add the --add option to create the principal if it doesn't already exist
> > (assuming your kerberos principal has rights to add one).
> >
> > You can make this all automatic with something like:
> > # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
> > --principal=HTTP/$HOST $DB/$HOST.csr
> >
> > No kinit needed.
> > But that's giving me an error that the principal doesn't exist. Then
> > (admittedly, I picked up this command from a discussion I found):
> >
> > # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
> > How do I get the serial number?
> > Basically, I'm trying to wrap and automate the process of
> > granting a new
> > cert to a server.
> >
> >
> > The serial number will be in the output from the cert-request command,
> > twice actually: one decimal, one hex.
> >
> > You can do it hackily via something like:
> > SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request
> > --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number:
> > " | cut -d: -f2)
> >
> > Though that won't catch errors. You can also do a service-show
> > HTTP/$HOST to get the serial number.
> >
> > rob
> > Sent from Mailspring
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.f

[Freeipa-users] Re: How to grant CSR from command line

2019-04-11 Thread Alexander Bokovoy via FreeIPA-users


On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:

Bret Wortman via FreeIPA-users wrote:

Thanks, Rob. I'm a lot closer now.

What I'm getting now looks like:

# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
--principal=HTTP/$HOST $DB/$HOST.csr
IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in
certificate request does not exist

What we've done before is set up each system with its FQDN and just its
hostname (and some have other aliases as well). Is that what's causing a
problem?

I've looked for documentation on the ipa cert-request command but can't
seem to find anything.


IPA requires that every hostname in a cert exist in IPA (so you don't
request a SAN for a host you don't own). In this case it is looking for
HTTP/ which I presume doesn't exist.

You can try forcing the creation with:

$ ipa service-add HTTP/ --force

Alternatively, you can add alias to the service principal.

ipa service-add-principal HTTP/fullname HTTP/shortname

'ipa cert-request' allows to match hostnames of service principal
aliases (the part after first /) since 4.5.0.




rob




photo   
*Bret Wortman*
Founder, Damascus Products, LLC

855-644-2783  | b...@wrapbuddies.co


http://wrapbuddies.co/


70 Main St. Suite 23 Warrenton, VA 20186




   

   

   

On Apr 11 2019, at 11:31 am, Rob Crittenden  wrote:

Bret Wortman via FreeIPA-users wrote:

I know I can paste a CSR from one of our servers into the GUI and
generate a new cert, but how can I do this from a command line?

I've been working with this:

# ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr


Add the --add option to create the principal if it doesn't already exist
(assuming your kerberos principal has rights to add one).

You can make this all automatic with something like:

# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
--principal=HTTP/$HOST $DB/$HOST.csr

No kinit needed.

But that's giving me an error that the principal doesn't exist. Then
(admittedly, I picked up this command from a discussion I found):

# ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem

How do I get the serial number?

Basically, I'm trying to wrap and automate the process of
granting a new
cert to a server.


The serial number will be in the output from the cert-request command,
twice actually: one decimal, one hex.

You can do it hackily via something like:

SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request
--principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number:
" | cut -d: -f2)

Though that won't catch errors. You can also do a service-show
HTTP/$HOST to get the serial number.

rob

Sent from Mailspring


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Managemen

[Freeipa-users] Re: How to grant CSR from command line

2019-04-11 Thread Rob Crittenden via FreeIPA-users

Alexander Bokovoy via FreeIPA-users wrote:
> On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:
>> Bret Wortman via FreeIPA-users wrote:
>>> Thanks, Rob. I'm a lot closer now.
>>>
>>> What I'm getting now looks like:
>>>
>>> # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
>>> --principal=HTTP/$HOST $DB/$HOST.csr
>>> IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in
>>> certificate request does not exist
>>>
>>> What we've done before is set up each system with its FQDN and just its
>>> hostname (and some have other aliases as well). Is that what's causing a
>>> problem?
>>>
>>> I've looked for documentation on the ipa cert-request command but can't
>>> seem to find anything.
>>
>> IPA requires that every hostname in a cert exist in IPA (so you don't
>> request a SAN for a host you don't own). In this case it is looking for
>> HTTP/ which I presume doesn't exist.
>>
>> You can try forcing the creation with:
>>
>> $ ipa service-add HTTP/ --force
> Alternatively, you can add alias to the service principal.
> 
> ipa service-add-principal HTTP/fullname HTTP/shortname
> 
> 'ipa cert-request' allows to match hostnames of service principal
> aliases (the part after first /) since 4.5.0.

This doesn't work in my quickie testing.

$ hostname
ipa.example.test
$ ipa service-show bar/ipa.example.test
  Principal name: bar/ipa.example.t...@example.test
  Principal alias: bar/ipa.example.t...@example.test, [Principal alias]:
   bar/i...@example.test
  Keytab: False
  Managed by: ipa.example.test
< create CSR with DNS SAN of ipa >
...
   Subject: CN = ipa.example.test
...
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:ipa
$ ipa cert-request --principal bar/`hostname` /tmp/csr  --add
ipa: ERROR: The service principal for subject alt name ipa in
certificate request does not exist

rob

> 
> 
>>
>> rob
>>
>>>
>>>
>>> photo
>>> *Bret Wortman*
>>> Founder, Damascus Products, LLC
>>>
>>> 855-644-2783  | b...@wrapbuddies.co
>>> 
>>>
>>>
>>> http://wrapbuddies.co/
>>> 
>>>
>>>
>>> 70 Main St. Suite 23 Warrenton, VA 20186
>>>
>>> 
>>>
>>> 
>>> 
>>>    
>>> 
>>>    
>>> 
>>>    
>>>
>>>
>>> On Apr 11 2019, at 11:31 am, Rob Crittenden  wrote:
>>>
>>>     Bret Wortman via FreeIPA-users wrote:
>>>
>>>     I know I can paste a CSR from one of our servers into the GUI
>>> and
>>>     generate a new cert, but how can I do this from a command line?
>>>
>>>     I've been working with this:
>>>
>>>     # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
>>>
>>>
>>>     Add the --add option to create the principal if it doesn't
>>> already exist
>>>     (assuming your kerberos principal has rights to add one).
>>>
>>>     You can make this all automatic with something like:
>>>
>>>     # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
>>>     --principal=HTTP/$HOST $DB/$HOST.csr
>>>
>>>     No kinit needed.
>>>
>>>     But that's giving me an error that the principal doesn't
>>> exist. Then
>>>     (admittedly, I picked up this command from a discussion I
>>> found):
>>>
>>>     # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
>>>
>>>     How do I get the serial number?
>>>
>>>     Basically, I'm trying to wrap and automate the process of
>>>     granting a new
>>>     cert to a server.
>>>
>>>
>>>     The serial number will be in the output from the cert-request
>>> command,
>>>     twice actually: one decimal, one hex.
>>>
>>>     You can do it hackily via something like:
>>>
>>>     SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request
>>>     --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial
>>> number:
>>>     " | cut -d: -f2)
>>>
>>>     T

[Freeipa-users] Re: How to grant CSR from command line

2019-04-12 Thread Alexander Bokovoy via FreeIPA-users


On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:

Alexander Bokovoy via FreeIPA-users wrote:

On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:

Bret Wortman via FreeIPA-users wrote:

Thanks, Rob. I'm a lot closer now.

What I'm getting now looks like:

# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
--principal=HTTP/$HOST $DB/$HOST.csr
IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in
certificate request does not exist

What we've done before is set up each system with its FQDN and just its
hostname (and some have other aliases as well). Is that what's causing a
problem?

I've looked for documentation on the ipa cert-request command but can't
seem to find anything.


IPA requires that every hostname in a cert exist in IPA (so you don't
request a SAN for a host you don't own). In this case it is looking for
HTTP/ which I presume doesn't exist.

You can try forcing the creation with:

$ ipa service-add HTTP/ --force

Alternatively, you can add alias to the service principal.

ipa service-add-principal HTTP/fullname HTTP/shortname

'ipa cert-request' allows to match hostnames of service principal
aliases (the part after first /) since 4.5.0.


This doesn't work in my quickie testing.

$ hostname
ipa.example.test
$ ipa service-show bar/ipa.example.test
 Principal name: bar/ipa.example.t...@example.test
 Principal alias: bar/ipa.example.t...@example.test, [Principal alias]:
  bar/i...@example.test
 Keytab: False
 Managed by: ipa.example.test
< create CSR with DNS SAN of ipa >
...
  Subject: CN = ipa.example.test
...
   Requested Extensions:
   X509v3 Subject Alternative Name:
   DNS:ipa
$ ipa cert-request --principal bar/`hostname` /tmp/csr  --add
ipa: ERROR: The service principal for subject alt name ipa in
certificate request does not exist

Works for me via ipa-getcert on 4.7 which internally does 'ipa
cert-request':

...
ipa: INFO: [xmlserver] host/nyx.xs.ipa.c...@xs.ipa.cool: cert_request()
...

# ipa service-show moobar/nyx.xs.ipa.cool
 Principal name: moobar/nyx.xs.ipa.c...@xs.ipa.cool
 Principal alias: moobar/nyx.xs.ipa.c...@xs.ipa.cool, moobar/n...@xs.ipa.cool
 Keytab: True
 Managed by: nyx.xs.ipa.cool
 Users allowed to retrieve keytab: admin
 Users allowed to create keytab: admin


# ipa-getcert request -k /etc/pki/tls/private/moobar.key -f 
/etc/pki/tls/certs/moobar.crt -D nyx -D nyx.xs.ipa.cool -K 
moobar/nyx.xs.ipa.cool

# ipa-getcert list -f /etc/pki/tls/certs/moobar.crt
Number of certificates and requests being tracked: 17.
Request ID '20190412080750':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/moobar.key'
certificate: type=FILE,location='/etc/pki/tls/certs/moobar.crt'
CA: IPA
issuer: CN=Certificate Authority,O=XS.IPA.COOL
subject: CN=nyx.xs.ipa.cool,O=XS.IPA.COOL
expires: 2021-04-12 10:07:53 CEST
dns: nyx,nyx.xs.ipa.cool
principal name: moobar/nyx.xs.ipa.c...@xs.ipa.cool
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes

auto-renew: yes

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: How to grant CSR from command line

[Freeipa-users] Re: How to grant CSR from command line

[Freeipa-users] Re: How to grant CSR from command line

[Freeipa-users] Re: How to grant CSR from command line

[Freeipa-users] Re: How to grant CSR from command line

[Freeipa-users] Re: How to grant CSR from command line

[Freeipa-users] Re: How to grant CSR from command line

7 matches

Site Navigation

Mail list logo

Footer information