Bret Wortman via FreeIPA-users wrote:
I know I can paste a CSR from one of our servers into the GUI and
generate a new cert, but how can I do this from a command line?
I've been working with this:
# ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
Add the --add option to create the principal if it doesn't already exist
(assuming your kerberos principal has rights to add one).
You can make this all automatic with something like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add
--principal=HTTP/$HOST $DB/$HOST.csr
No kinit needed.
But that's giving me an error that the principal doesn't
exist. Then
(admittedly, I picked up this command from a discussion I found):
# ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
How do I get the serial number?
Basically, I'm trying to wrap and automate the process of granting a new
cert to a server.
The serial number will be in the output from the cert-request command,
twice actually: one decimal, one hex.
You can do it hackily via something like:
SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request
--principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number:
" | cut -d: -f2)
Though that won't catch errors. You can also do a service-show
HTTP/$HOST to get the serial number.
rob