Hello,
I have: - a CA with Freeipa - a sub CA with Freeipa too - a server with certmonger installed on and connected to the sub CA - an external client without freeipa neither Certmonger.
CA, sub CA and server are on the same realm: domaine.fr The external client is on a different realm: newdomaine.fr
My goal is to generate a certificate for the external client.
So, with the web ui in the sub ca, i've added the DNS zone newdomaine.fr and the host external.domaine.fr .
From the server when i run the command below:
ipa-getcert request -v -f /etc/pki/tls/certs/externe.crt -k /etc/pki/tls/private/externe.key -N CN=externe.domaine.fr -D externe.newdomaine.fr -K host/externe.newdomaine.fr@SUB.DOMAINE.FR -I externe
i get the result is: Request ID 'externe': status: CA_REJECTED ca-error: Server at https://subca.domaine.fr/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'fqdn=externe.newdomaine.fr,cn=computers,cn=accounts,dc=sub,dc=domaine,dc=fr'.).
I don't understand because the host is added. Could you explain to me how to fix that please? Thank you very much!
iam pollux via FreeIPA-users wrote:
Hello,
I have:
- a CA with Freeipa
- a sub CA with Freeipa too
- a server with certmonger installed on and connected to the sub CA
- an external client without freeipa neither Certmonger.
CA, sub CA and server are on the same realm: domaine.fr The external client is on a different realm: newdomaine.fr
My goal is to generate a certificate for the external client.
So, with the web ui in the sub ca, i've added the DNS zone newdomaine.fr and the host external.domaine.fr .
From the server when i run the command below:
ipa-getcert request -v -f /etc/pki/tls/certs/externe.crt -k /etc/pki/tls/private/externe.key -N CN=externe.domaine.fr -D externe.newdomaine.fr -K host/externe.newdomaine.fr@SUB.DOMAINE.FR -I externe
i get the result is: Request ID 'externe': status: CA_REJECTED ca-error: Server at https://subca.domaine.fr/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'fqdn=externe.newdomaine.fr,cn=computers,cn=accounts,dc=sub,dc=domaine,dc=fr'.).
I don't understand because the host is added. Could you explain to me how to fix that please?
certmonger executes using the host principal of the machine it is running on. By default a host can only issue certs for itself or for its own services. You can grant permissions for a host to issue certificates for another host or service. This is covered towards the end of https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-my-...
rob
freeipa-users@lists.fedorahosted.org
-
iam pollux -
Rob Crittenden