[Freeipa-users] can't specify DNS name or subject in cert request in FreeIPA 3.3

2015-03-26 Thread Steve Neuharth 
I'm trying to specify a subject name in a cert request like this:

ipa-getcert request -K HTTP/web.test.org -N *cn=www.test.org
,o=TEST.ORG * -f /tmp/webserver.crt
-k /tmp/webprivate.key -r

or like this

ipa-getcert request -K HTTP/web.test.org -D www.test.org -f
/tmp/webserver.crt -k /tmp/webprivate.key -r

The resulting certificate, however, just has the hostname of the server
like this:

Request ID '20150326060555':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/webprivate.key'
certificate: type=FILE,location='/tmp/webserver.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TEST.ORG
subject: *CN=web.test.org ,O=TEST.ORG
*
expires: 2017-03-26 05:46:29 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

Is this a bug or am I doing something wrong in certmonger?

--steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] using dogtag outside of freeIPA?

2015-03-27 Thread Steve Neuharth 
Hello,

Is it possible or perhaps not recommended to use the dogtag API and/or UI
on a FreeIPA system without using the freeIPA CLI or UI? I have a
requirement to submit a certificate to a service without kerberos and
without client software installed using a RESTful API. Dogtag API is very
well documented and I do not want to associate all my certificates with a
Kerberos principal because it adds complexity to the cert signing process.
I just need to sign a cert without the FreeIPA overhead.

I tried to get to the Dogtag web UI through the url
http://ipa.example.com/ca/ee/ca but I get an unauthenticated web page (no
password prompt) and broken image links. This tells me that perhaps the
Dogtag UI in a FreeIPA installation is not meant to be used without
FreeIPA. Is that correct?

I know this is a weird use case and not necessarily a FreeIPA problem but
if someone could advise, I'd greatly appreciate it.
--steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] freeipa 4.x packages for RHEL?

2015-03-31 Thread Steve Neuharth 
Hello,

We're currently running RHEL in production and would love to be using all
the goodness that is FreeIPA 4 including certmonger for certificate
management. I don't see any mention of 4.x packages available for RHEL in
the mailing lists and I have run into problems using the 3.3 client
packages on a 4.x realm.

When will 4.x packages be available for RHEL?
--steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] freeipa 4.x packages for RHEL?

2015-03-31 Thread Steve Neuharth 
Excellent. Thanks guys.

On Tuesday, March 31, 2015, Alexander Bokovoy  wrote:

> On Tue, 31 Mar 2015, Steve Neuharth wrote:
>
>> Hello,
>>
>> We're currently running RHEL in production and would love to be using all
>> the goodness that is FreeIPA 4 including certmonger for certificate
>> management. I don't see any mention of 4.x packages available for RHEL in
>> the mailing lists and I have run into problems using the 3.3 client
>> packages on a 4.x realm.
>>
>> When will 4.x packages be available for RHEL?
>>
> They are already available, starting with RHEL7.1.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project