Red Hat Bugzilla – Bug 488905
Document option to automatically create service principal and/or certs when a new service is set up (later than machine join)
Last modified: 2015-01-04 18:37:03 EST
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Version set to 1.1 by mistake. Resetting to 2.0
mailed the list for info
Not sure I understand the topic. Creating services/certs is always going to have some amount of manual intervention after the initial realm join.
You first have to ensure that the host exists (which it should if it has joined the realm): ipa host-show ipa.example.com
To create a service: ipa service-add test/ipa.example.com
To request a certificate for that service: ipa cert-request --principal=test/ipa.example.com example.csr
Note that you can use --add to create the service when the certificate is requested. example.csr is a file containing the certificate request.
Another alternative is to use certmonger to manage the certificate request process for you: ipa-getcert request -d /etc/pki/nssdb -n Server-Cert
/etc/pki/nssdb is the global NSS database
Server-Cert is the nickname of this certificate which needs to be unique in that database. There is nothing magical about this name, it can be anything.
Use ipa-getcert list to show the current status of certificates managed by certmonger
*** This bug has been marked as a duplicate of bug 646214 ***