On 13/02/2020 14:46, Fraser Tweedale wrote:
On Thu, Feb 13, 2020 at 11:59:34AM +0000, lejeczek via FreeIPA-users
wrote:
> hi everyone,
>
> how, if possible at, to have IPA sing a cert sign request which is
> not part of IPA's domain/realm?
>
> many thanks, L.
>
You sure can. Just add the host principal for the name you want,
and use it as the subject principal. The same operator
authorisation and CA ACLs enforcement is applied for every
certificate request, whether the subject DNS name is within the IPA
domain or not.
Cheers,
Fraser
okey, would you correct whatever my wrongdoing here was?
$ ipa dnsrecord-add dracownia.nr. idrac-HV2315J-rider --a-rec=192.168.2.11
$ ipa host-add idrac-941415J-swir.dracownia.nr
$ ipa service-add http/idrac-941415J-swir.dracownia.nr
$ ipa service-add-host --hosts=idrac-941415J-swir.dracownia.nr
http/idrac-941415J-swir.dracownia.nr
$ ipa cert-request idrac-941415J-swir.csr
--principal=http/idrac-941415J-swir.dracownia.nr
ipa: ERROR: invalid 'csr': hostname in subject of request
'idrac-941415J-swir' does not match name or aliases of principal
'http/idrac-941415J-swir.dracownia.nr@IPA_DOMAIN'
I believe it's trivial but before I play it all out you, I'm sure, can
point the silly mistakes and oversights already.
many thanks, L.