On 12/18/2011 09:05 PM, Stephen Ingram wrote:
On Mon, Dec 5, 2011 at 12:49 PM, Rob Crittenden<rcrit...@redhat.com>  wrote:


Be sure that the CN value is the FQDN of your server.

IPA server:
# ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem
# ipa service-show --out=/tmp/service.crt HTTP/remote.example.com

Your cert will be in /tmp/service.crt and PEM formatted for easy use. The
output of cert-request is just a base64 blob.


This may be handy to augment the IPA documentation too if you want to donate
back your findings :-)

OK, I'm going through lots of different scenarios to try to document
this entire process and ran into one problem so far. Using your
suggested command above to retrieve the cert via the command line:

ipa service-show --out=/tmp/service.crt HTTP/remote.example.com

This does not work for the host certficiate:

e.g. ipa service-show --out=/tmp/service.crt host/remote.example.com

While it is now easy to get the PEM formatted cert from the UI in
version 2.1.4, I don't see any way to obtain this particular cert from
the command line other than

ipa cert-show {serial number}

which is obviously not very convenient.

Is there another way I'm missing or is that it?

Sorry, but currently on the command line the only way to specify a certificate is via it's serial number. The serial number is the only identifier guaranteed to be unique. However, I agree it's not convenient. Would you like to open an RFE (Request for Enhancement) on https://fedorahosted.org/freeipa/

John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to