On 13/02/2020 14:46, Fraser Tweedale wrote:
> On Thu, Feb 13, 2020 at 11:59:34AM +0000, lejeczek via FreeIPA-users
> wrote:
>> hi everyone,
>>
>> how, if possible at, to have IPA sing a cert sign request which is
>> not part of IPA's domain/realm?
>>
>> many thanks, L.
>>
> You sure can.  Just add the host principal for the name you want,
> and use it as the subject principal.  The same operator
> authorisation and CA ACLs enforcement is applied for every
> certificate request, whether the subject DNS name is within the IPA
> domain or not.
>
> Cheers,
> Fraser
>
okey, would you correct whatever my wrongdoing here was?

$ ipa dnsrecord-add  dracownia.nr. idrac-HV2315J-rider --a-rec=192.168.2.11

$ ipa host-add idrac-941415J-swir.dracownia.nr

$ ipa service-add http/idrac-941415J-swir.dracownia.nr

$ ipa service-add-host --hosts=idrac-941415J-swir.dracownia.nr
http/idrac-941415J-swir.dracownia.nr

$ ipa cert-request idrac-941415J-swir.csr
--principal=http/idrac-941415J-swir.dracownia.nr
ipa: ERROR: invalid 'csr': hostname in subject of request
'idrac-941415J-swir' does not match name or aliases of principal
'http/idrac-941415J-swir.dracownia.nr@IPA_DOMAIN'

I believe it's trivial but before I play it all out you, I'm sure, can
point the silly mistakes and oversights already.

many thanks, L.

Attachment: pEpkey.asc
Description: application/pgp-keys

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to