I'm having some trouble getting sub-ca signed certificates issued and managed by
certmonger. The implementation here [
https://www.freeipa.org/page/V4/Sub-CAs] describes
how that should work. I see that the -X option can be passed to ipa-getcert to specify the
issuer, but every time I create a request with -X specified I get an error.
Steps to reproduce:
1. Create a new CA named "Test" through the FreeIPA web UI.
2. Run the following on a host enrolled in freeIPA:
ipa-getcert request -k /root/test.key -f /root/test.crt -I "testrequest" -X
"Test"
3. Run ipa-getcert list and receive the an error message:
Request ID 'test':
status: CA_REJECTED
ca-error: Server at
https://ipa02.yyy.com/ipa/xml failed request, will retry: 4035 (RPC
failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500.
).
stuck: yes
key pair storage: type=FILE,location='/root/test.key'
certificate: type=FILE,location='/root/test.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
Running FreeIPA 4.6.4
Thanks for the help!