On 10/13/2017 09:17 AM, Rob Crittenden wrote:
Mark Haney via FreeIPA-users wrote:
I'm pretty sure ya'll are tired of my stupid questions, but I've got
that new Geek smell with regards to IPA, and definitely with manual
configuration.  This should be easy to answer.  I've got all the
necessaries manually setup and I'm at the step to get the certificate
from the IPA server.  TFM states this is the correct syntax to do so:

[root@ipaclient ~]# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert
-K HOST/ipaclient.example.com -N 'CN=ipaclient.example.com,O=EXAMPLE.COM'

The problem I'm having is with the HOST/ and CN options, the reason
being that the host I'm enrolling doesn't have the same domain name as
the IPA server I'm using.  The client is 'rad.astacalska.net' and the
IPA server domain (and realm) is neonova.net.  In IPA the client
principal alias is host/rad.astacalaska....@neonova.net.  I tried this:

ipa-getcert  request -d /etc/pki/nssdb -n Server-Cert -K
HOST/rad.astacalaska.net -N 'CN=rad.astacalaska.net,O=NEONOVA.NET'

You may want host/... instead of HOST. Case matters for Kerberos principals (but the strings are more or less semi-established "standards"). Strictly speaking the prefix doesn't matter, it provides a "bucket" so IPA knows where to store the cert. If you use host/ it won't conflict with any other host entries and won't require a separate service entry.

I tried changing HOST/ to host/ and got this:
Certificate at same location is already used by request with nickname "20171013123749"

Seems it doesn't matter on this setup.  Oh, probably should mention this is a CentOS 6.9 box. In case that matters.

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to