We have a need where we want to allow a user to submit their own CSR to generate their own SSL certificate and to be able to download their own certificate.

I get the following error:

Insufficient access: Principal 'testplem@MGMT.EXAMPLE.COM' is not permitted to use CA 'ipa' with profile 'IECUserRoles' for certificate issuance.

Here are the permissions I have setup.

* Create a new Privilege called SelfService

* Add the following permissions to the SelfService Privilege
  * Request Certificate (FreeIPA builtin permission)
  * Retrieve Certificates from the CA (FreeIPA builtin permission)
  * UserSelfSerivceCertificate (custom permission)
  * ReadCAProfile (custom permission)
  * ReadIPACA (custom permission)

* Create Role called SelfService
  * Attach the SelfService Privilege to this Role

* I then attach that Role to a test user.

I am sure I am missing other permissions but I am not sure what. If there is already documentation that explains how to do this I am happy to reference that. If not, what else am I missing.

============

dn: cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermRight: read
ipaPermRight: search
ipaPermRight: compare
ipaPermRight: write
ipaPermRight: add
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermBindRuleType: permission
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: UserSelfSerivceCertificate
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: usercertificate

============
dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermBindRuleType: permission
ipaPermTarget: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co
 m
ipaPermRight: read
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: ReadCAProfile
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: cn
ipaPermIncludedAttr: description
ipaPermIncludedAttr: ipacertprofilestoreissued
ipaPermIncludedAttr: objectclass

============

dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermRight: read
ipaPermRight: search
ipaPermRight: compare
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermBindRuleType: permission
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: ReadIPACA
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: cn
ipaPermIncludedAttr: description
ipaPermIncludedAttr: ipacaid
ipaPermIncludedAttr: ipacaissuerdn
ipaPermIncludedAttr: ipacasubjectdn
ipaPermIncludedAttr: objectclass


Thank you for any insight you are able to provide.
--