Stephen Ingram wrote:
On Mon, Dec 5, 2011 at 12:49 PM, Rob Crittenden<>  wrote:


Be sure that the CN value is the FQDN of your server.

IPA server:
# ipa cert-request --prinicipal HTTP/ /path/to/csr.pem
# ipa service-show --out=/tmp/service.crt HTTP/

Your cert will be in /tmp/service.crt and PEM formatted for easy use. The
output of cert-request is just a base64 blob.


This may be handy to augment the IPA documentation too if you want to donate
back your findings :-)

OK, I'm going through lots of different scenarios to try to document
this entire process and ran into one problem so far. Using your
suggested command above to retrieve the cert via the command line:

ipa service-show --out=/tmp/service.crt HTTP/

This does not work for the host certficiate:

e.g. ipa service-show --out=/tmp/service.crt host/

While it is now easy to get the PEM formatted cert from the UI in
version 2.1.4, I don't see any way to obtain this particular cert from
the command line other than

ipa cert-show {serial number}

which is obviously not very convenient.

Is there another way I'm missing or is that it?


The host service principal is treated differently. It is stored in the host entry itself so use host-show --out


Freeipa-users mailing list

Reply via email to