On 13/02/2020 14:46, Fraser Tweedale wrote:
> On Thu, Feb 13, 2020 at 11:59:34AM +0000, lejeczek via FreeIPA-users
> wrote:
>> hi everyone,
>> how, if possible at, to have IPA sing a cert sign request which is
>> not part of IPA's domain/realm?
>> many thanks, L.
> You sure can.  Just add the host principal for the name you want,
> and use it as the subject principal.  The same operator
> authorisation and CA ACLs enforcement is applied for every
> certificate request, whether the subject DNS name is within the IPA
> domain or not.
> Cheers,
> Fraser
okey, would you correct whatever my wrongdoing here was?

$ ipa dnsrecord-add  dracownia.nr. idrac-HV2315J-rider --a-rec=

$ ipa host-add idrac-941415J-swir.dracownia.nr

$ ipa service-add http/idrac-941415J-swir.dracownia.nr

$ ipa service-add-host --hosts=idrac-941415J-swir.dracownia.nr

$ ipa cert-request idrac-941415J-swir.csr
ipa: ERROR: invalid 'csr': hostname in subject of request
'idrac-941415J-swir' does not match name or aliases of principal

I believe it's trivial but before I play it all out you, I'm sure, can
point the silly mistakes and oversights already.

many thanks, L.

Attachment: pEpkey.asc
Description: application/pgp-keys

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

Reply via email to