Bug 488905 - Document option to automatically create service principal and/or certs when a new service is set up (later than machine join)
Summary: Document option to automatically create service principal and/or certs when a...
Status: CLOSED DUPLICATE of bug 646214
Alias: None
Product: freeIPA
Classification: Retired
Component: Documentation
Version: 2.0
Hardware: All
OS: Linux
Target Milestone: v2 release
Assignee: David O'Brien
QA Contact: Chandrasekar Kannan
Depends On:
Blocks: 431020 freeipa20 489811 646214 646217
TreeView+ depends on / blocked
Reported: 2009-03-06 05:26 UTC by David O'Brien
Modified: 2015-01-04 23:37 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 646214 (view as bug list)
Last Closed: 2010-11-29 03:25:49 UTC

Attachments (Terms of Use)

Description David O'Brien 2009-03-06 05:26:24 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 David O'Brien 2009-03-08 21:55:26 UTC
Version set to 1.1 by  mistake. Resetting to 2.0

Comment 2 David O'Brien 2010-02-01 04:48:12 UTC
mailed the list for info

Comment 3 Rob Crittenden 2010-02-01 15:45:20 UTC
Not sure I understand the topic. Creating services/certs is always going to have some amount of manual intervention after the initial realm join.

You first have to ensure that the host exists (which it should if it has joined the realm): ipa host-show ipa.example.com

To create a service: ipa service-add test/ipa.example.com

To request a certificate for that service: ipa cert-request --principal=test/ipa.example.com example.csr

Note that you can use --add to create the service when the certificate is requested. example.csr is a file containing the certificate request.

Another alternative is to use certmonger to manage the certificate request process for you: ipa-getcert request -d /etc/pki/nssdb -n Server-Cert

/etc/pki/nssdb is the global NSS database
Server-Cert is the nickname of this certificate which needs to be unique in that database. There is nothing magical about this name, it can be anything.

Use ipa-getcert list to show the current status of certificates managed by certmonger

Comment 5 David O'Brien 2010-11-29 03:25:49 UTC

*** This bug has been marked as a duplicate of bug 646214 ***

Note You need to log in before you can comment on or make changes to this bug.