I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line?
I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr But that's giving me an error that the principal doesn't exist. Then (admittedly, I picked up this command from a discussion I found): # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem How do I get the serial number? Basically, I'm trying to wrap and automate the process of granting a new cert to a server.
Bret Wortman Founder, Damascus Products, LLC
855-644-2783 (tel:855-644-2783) | bret@wrapbuddies.co (https://link.getmailspring.com/link/25BB3F29-8D3D-4B5A-8DA5-E701F2C56AF8@get...)
http://wrapbuddies.co/ (https://link.getmailspring.com/link/25BB3F29-8D3D-4B5A-8DA5-E701F2C56AF8@get...)
70 Main St. Suite 23 Warrenton, VA 20186
Bret Wortman via FreeIPA-users wrote:
I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line?
I've been working with this:
# ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
Add the --add option to create the principal if it doesn't already exist (assuming your kerberos principal has rights to add one).
You can make this all automatic with something like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr
No kinit needed.
But that's giving me an error that the principal doesn't exist. Then (admittedly, I picked up this command from a discussion I found):
# ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
How do I get the serial number?
Basically, I'm trying to wrap and automate the process of granting a new cert to a server.
The serial number will be in the output from the cert-request command, twice actually: one decimal, one hex.
You can do it hackily via something like:
SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number: " | cut -d: -f2)
Though that won't catch errors. You can also do a service-show HTTP/$HOST to get the serial number.
rob
Thanks, Rob. I'm a lot closer now.
What I'm getting now looks like: # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in certificate request does not exist
What we've done before is set up each system with its FQDN and just its hostname (and some have other aliases as well). Is that what's causing a problem? I've looked for documentation on the ipa cert-request command but can't seem to find anything.
Bret Wortman Founder, Damascus Products, LLC
855-644-2783 (tel:855-644-2783) | bret@wrapbuddies.co (https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@get...)
http://wrapbuddies.co/ (https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@get...)
70 Main St. Suite 23 Warrenton, VA 20186
On Apr 11 2019, at 11:31 am, Rob Crittenden rcritten@redhat.com wrote:
Bret Wortman via FreeIPA-users wrote:
I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line?
I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
Add the --add option to create the principal if it doesn't already exist (assuming your kerberos principal has rights to add one).
You can make this all automatic with something like: # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr
No kinit needed.
But that's giving me an error that the principal doesn't exist. Then (admittedly, I picked up this command from a discussion I found):
# ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem How do I get the serial number? Basically, I'm trying to wrap and automate the process of granting a new cert to a server.
The serial number will be in the output from the cert-request command, twice actually: one decimal, one hex.
You can do it hackily via something like: SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number: " | cut -d: -f2)
Though that won't catch errors. You can also do a service-show HTTP/$HOST to get the serial number.
rob
Bret Wortman via FreeIPA-users wrote:
Thanks, Rob. I'm a lot closer now.
What I'm getting now looks like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in certificate request does not exist
What we've done before is set up each system with its FQDN and just its hostname (and some have other aliases as well). Is that what's causing a problem?
I've looked for documentation on the ipa cert-request command but can't seem to find anything.
IPA requires that every hostname in a cert exist in IPA (so you don't request a SAN for a host you don't own). In this case it is looking for HTTP/<shortname> which I presume doesn't exist.
You can try forcing the creation with:
$ ipa service-add HTTP/<shortname> --force
rob
photo *Bret Wortman* Founder, Damascus Products, LLC
855-644-2783 tel:855-644-2783 | bret@wrapbuddies.co https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/0?redirect=mailto%3Abret%40wrapbuddies.co&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
http://wrapbuddies.co/ https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
70 Main St. Suite 23 Warrenton, VA 20186
https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/2?redirect=http%3A%2F%2Ffacebook.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/3?redirect=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fbretwortman&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/4?redirect=http%3A%2F%2Ftwitter.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/5?redirect=http%3A%2F%2Finstagram.com%2Fwrapbuddies&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
On Apr 11 2019, at 11:31 am, Rob Crittenden rcritten@redhat.com wrote:
Bret Wortman via FreeIPA-users wrote: I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line? I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr Add the --add option to create the principal if it doesn't already exist (assuming your kerberos principal has rights to add one). You can make this all automatic with something like: # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr No kinit needed. But that's giving me an error that the principal doesn't exist. Then (admittedly, I picked up this command from a discussion I found): # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem How do I get the serial number? Basically, I'm trying to wrap and automate the process of granting a new cert to a server. The serial number will be in the output from the cert-request command, twice actually: one decimal, one hex. You can do it hackily via something like: SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number: " | cut -d: -f2) Though that won't catch errors. You can also do a service-show HTTP/$HOST to get the serial number. rob
Sent from Mailspring
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I should have realized that. We'll just stick with FQDNs from now on.
I adjusted my wrapper and now it runs to completion and does what we expect. Thanks, Rob!
Bret Wortman Founder, Damascus Products, LLC
855-644-2783 (tel:855-644-2783) | bret@wrapbuddies.co (https://link.getmailspring.com/link/41D794C0-A0A5-4DCC-A9D8-78BCB4A71C60@get...)
http://wrapbuddies.co/ (https://link.getmailspring.com/link/41D794C0-A0A5-4DCC-A9D8-78BCB4A71C60@get...)
70 Main St. Suite 23 Warrenton, VA 20186
On Apr 11 2019, at 1:47 pm, Rob Crittenden rcritten@redhat.com wrote:
Bret Wortman via FreeIPA-users wrote:
Thanks, Rob. I'm a lot closer now.
What I'm getting now looks like: # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in certificate request does not exist
What we've done before is set up each system with its FQDN and just its hostname (and some have other aliases as well). Is that what's causing a problem?
I've looked for documentation on the ipa cert-request command but can't seem to find anything.
IPA requires that every hostname in a cert exist in IPA (so you don't request a SAN for a host you don't own). In this case it is looking for HTTP/<shortname> which I presume doesn't exist.
You can try forcing the creation with: $ ipa service-add HTTP/<shortname> --force rob
photo *Bret Wortman* Founder, Damascus Products, LLC
855-644-2783 tel:855-644-2783 | bret@wrapbuddies.co https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/0?redirect=mailto%3Abret%40wrapbuddies.co&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
http://wrapbuddies.co/ https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
70 Main St. Suite 23 Warrenton, VA 20186 https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/2?redirect=http%3A%2F%2Ffacebook.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/3?redirect=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fbretwortman&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/4?redirect=http%3A%2F%2Ftwitter.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/5?redirect=http%3A%2F%2Finstagram.com%2Fwrapbuddies&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
On Apr 11 2019, at 11:31 am, Rob Crittenden rcritten@redhat.com wrote: Bret Wortman via FreeIPA-users wrote: I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line?
I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
Add the --add option to create the principal if it doesn't already exist (assuming your kerberos principal has rights to add one).
You can make this all automatic with something like: # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr
No kinit needed. But that's giving me an error that the principal doesn't exist. Then (admittedly, I picked up this command from a discussion I found):
# ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem How do I get the serial number? Basically, I'm trying to wrap and automate the process of granting a new cert to a server.
The serial number will be in the output from the cert-request command, twice actually: one decimal, one hex.
You can do it hackily via something like: SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number: " | cut -d: -f2)
Though that won't catch errors. You can also do a service-show HTTP/$HOST to get the serial number.
rob Sent from Mailspring
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:
Bret Wortman via FreeIPA-users wrote:
Thanks, Rob. I'm a lot closer now.
What I'm getting now looks like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in certificate request does not exist
What we've done before is set up each system with its FQDN and just its hostname (and some have other aliases as well). Is that what's causing a problem?
I've looked for documentation on the ipa cert-request command but can't seem to find anything.
IPA requires that every hostname in a cert exist in IPA (so you don't request a SAN for a host you don't own). In this case it is looking for HTTP/<shortname> which I presume doesn't exist.
You can try forcing the creation with:
$ ipa service-add HTTP/<shortname> --force
Alternatively, you can add alias to the service principal.
ipa service-add-principal HTTP/fullname HTTP/shortname
'ipa cert-request' allows to match hostnames of service principal aliases (the part after first /) since 4.5.0.
rob
photo *Bret Wortman* Founder, Damascus Products, LLC
855-644-2783 tel:855-644-2783 | bret@wrapbuddies.co https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/0?redirect=mailto%3Abret%40wrapbuddies.co&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
http://wrapbuddies.co/ https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
70 Main St. Suite 23 Warrenton, VA 20186
https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/2?redirect=http%3A%2F%2Ffacebook.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/3?redirect=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fbretwortman&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/4?redirect=http%3A%2F%2Ftwitter.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/5?redirect=http%3A%2F%2Finstagram.com%2Fwrapbuddies&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
On Apr 11 2019, at 11:31 am, Rob Crittenden rcritten@redhat.com wrote:
Bret Wortman via FreeIPA-users wrote: I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line? I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr Add the --add option to create the principal if it doesn't already exist (assuming your kerberos principal has rights to add one). You can make this all automatic with something like: # KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr No kinit needed. But that's giving me an error that the principal doesn't exist. Then (admittedly, I picked up this command from a discussion I found): # ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem How do I get the serial number? Basically, I'm trying to wrap and automate the process of granting a new cert to a server. The serial number will be in the output from the cert-request command, twice actually: one decimal, one hex. You can do it hackily via something like: SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number: " | cut -d: -f2) Though that won't catch errors. You can also do a service-show HTTP/$HOST to get the serial number. rob
Sent from Mailspring
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Alexander Bokovoy via FreeIPA-users wrote:
On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:
Bret Wortman via FreeIPA-users wrote:
Thanks, Rob. I'm a lot closer now.
What I'm getting now looks like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in certificate request does not exist
What we've done before is set up each system with its FQDN and just its hostname (and some have other aliases as well). Is that what's causing a problem?
I've looked for documentation on the ipa cert-request command but can't seem to find anything.
IPA requires that every hostname in a cert exist in IPA (so you don't request a SAN for a host you don't own). In this case it is looking for HTTP/<shortname> which I presume doesn't exist.
You can try forcing the creation with:
$ ipa service-add HTTP/<shortname> --force
Alternatively, you can add alias to the service principal.
ipa service-add-principal HTTP/fullname HTTP/shortname
'ipa cert-request' allows to match hostnames of service principal aliases (the part after first /) since 4.5.0.
This doesn't work in my quickie testing.
$ hostname ipa.example.test $ ipa service-show bar/ipa.example.test Principal name: bar/ipa.example.test@EXAMPLE.TEST Principal alias: bar/ipa.example.test@EXAMPLE.TEST, [Principal alias]: bar/ipa@EXAMPLE.TEST Keytab: False Managed by: ipa.example.test < create CSR with DNS SAN of ipa > ... Subject: CN = ipa.example.test ... Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa $ ipa cert-request --principal bar/`hostname` /tmp/csr --add ipa: ERROR: The service principal for subject alt name ipa in certificate request does not exist
rob
rob
photo *Bret Wortman* Founder, Damascus Products, LLC
855-644-2783 tel:855-644-2783 | bret@wrapbuddies.co https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/0?redirect=mailto%3Abret%40wrapbuddies.co&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
http://wrapbuddies.co/ https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
70 Main St. Suite 23 Warrenton, VA 20186
https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/3?redirect=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fbretwortman&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/4?redirect=http%3A%2F%2Ftwitter.com%2Fwrapbuddiesco&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn https://link.getmailspring.com/link/99891C0D-0C1A-4459-8062-779D1E4268C1@getmailspring.com/5?redirect=http%3A%2F%2Finstagram.com%2Fwrapbuddies&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn
On Apr 11 2019, at 11:31 am, Rob Crittenden rcritten@redhat.com wrote:
Bret Wortman via FreeIPA-users wrote:
I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line?
I've been working with this:
# ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr
Add the --add option to create the principal if it doesn't already exist (assuming your kerberos principal has rights to add one).
You can make this all automatic with something like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr
No kinit needed.
But that's giving me an error that the principal doesn't exist. Then (admittedly, I picked up this command from a discussion I found):
# ipa cert-show $SERIAL_NUMBER --out=$DB/sslcert.pem
How do I get the serial number?
Basically, I'm trying to wrap and automate the process of granting a new cert to a server.
The serial number will be in the output from the cert-request command, twice actually: one decimal, one hex.
You can do it hackily via something like:
SERIAL_NUMBER=$(KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --principal bar/`hostname` /tmp/csr --add 2>&1 | grep "Serial number: " | cut -d: -f2)
Though that won't catch errors. You can also do a service-show HTTP/$HOST to get the serial number.
rob
Sent from Mailspring
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:
Alexander Bokovoy via FreeIPA-users wrote:
On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote:
Bret Wortman via FreeIPA-users wrote:
Thanks, Rob. I'm a lot closer now.
What I'm getting now looks like:
# KRB5_CLIENT_KTNAME=/etc/krb5.keytab ipa cert-request --add --principal=HTTP/$HOST $DB/$HOST.csr IPA: error: tHE SERVICE PRINCIPAL FOR SUBJECT ALT NAME myhost in certificate request does not exist
What we've done before is set up each system with its FQDN and just its hostname (and some have other aliases as well). Is that what's causing a problem?
I've looked for documentation on the ipa cert-request command but can't seem to find anything.
IPA requires that every hostname in a cert exist in IPA (so you don't request a SAN for a host you don't own). In this case it is looking for HTTP/<shortname> which I presume doesn't exist.
You can try forcing the creation with:
$ ipa service-add HTTP/<shortname> --force
Alternatively, you can add alias to the service principal.
ipa service-add-principal HTTP/fullname HTTP/shortname
'ipa cert-request' allows to match hostnames of service principal aliases (the part after first /) since 4.5.0.
This doesn't work in my quickie testing.
$ hostname ipa.example.test $ ipa service-show bar/ipa.example.test Principal name: bar/ipa.example.test@EXAMPLE.TEST Principal alias: bar/ipa.example.test@EXAMPLE.TEST, [Principal alias]: bar/ipa@EXAMPLE.TEST Keytab: False Managed by: ipa.example.test < create CSR with DNS SAN of ipa > ... Subject: CN = ipa.example.test ... Requested Extensions: X509v3 Subject Alternative Name: DNS:ipa $ ipa cert-request --principal bar/`hostname` /tmp/csr --add ipa: ERROR: The service principal for subject alt name ipa in certificate request does not exist
Works for me via ipa-getcert on 4.7 which internally does 'ipa cert-request':
... ipa: INFO: [xmlserver] host/nyx.xs.ipa.cool@XS.IPA.COOL: cert_request(....) ...
# ipa service-show moobar/nyx.xs.ipa.cool Principal name: moobar/nyx.xs.ipa.cool@XS.IPA.COOL Principal alias: moobar/nyx.xs.ipa.cool@XS.IPA.COOL, moobar/nyx@XS.IPA.COOL Keytab: True Managed by: nyx.xs.ipa.cool Users allowed to retrieve keytab: admin Users allowed to create keytab: admin
# ipa-getcert request -k /etc/pki/tls/private/moobar.key -f /etc/pki/tls/certs/moobar.crt -D nyx -D nyx.xs.ipa.cool -K moobar/nyx.xs.ipa.cool
# ipa-getcert list -f /etc/pki/tls/certs/moobar.crt Number of certificates and requests being tracked: 17. Request ID '20190412080750': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/moobar.key' certificate: type=FILE,location='/etc/pki/tls/certs/moobar.crt' CA: IPA issuer: CN=Certificate Authority,O=XS.IPA.COOL subject: CN=nyx.xs.ipa.cool,O=XS.IPA.COOL expires: 2021-04-12 10:07:53 CEST dns: nyx,nyx.xs.ipa.cool principal name: moobar/nyx.xs.ipa.cool@XS.IPA.COOL key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
freeipa-users@lists.fedorahosted.org