Hello,
I have:
- a CA with Freeipa
- a sub CA with Freeipa too
- a server with certmonger installed on and connected to the sub CA
- an external client without freeipa neither Certmonger.
CA, sub CA and server are on the same realm: domaine.fr
The external client is on a different realm: newdomaine.fr
My goal is to generate a certificate for the external client.
So, with the web ui in the sub ca, i've added the DNS zone newdomaine.fr and the host
external.domaine.fr .
From the server when i run the command below:
ipa-getcert request -v -f /etc/pki/tls/certs/externe.crt -k
/etc/pki/tls/private/externe.key -N CN=externe.domaine.fr -D externe.newdomaine.fr -K
host/externe.newdomaine.fr(a)SUB.DOMAINE.FR -I externe
i get the result is:
Request ID 'externe':
status: CA_REJECTED
ca-error: Server at
https://subca.domaine.fr/ipa/xml denied our request, giving up: 2100
(RPC failed at server. Insufficient access: Insufficient 'write' privilege to the
'userCertificate' attribute of entry
'fqdn=externe.newdomaine.fr,cn=computers,cn=accounts,dc=sub,dc=domaine,dc=fr'.).
I don't understand because the host is added.
Could you explain to me how to fix that please?
Thank you very much!