Bug 646214 - Document option to automatically create service principal and/or certs when a new service is set up (later than machine join)
Summary: Document option to automatically create service principal and/or certs when a...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Identity_Management_Guide
Version: 6.1
Hardware: All
OS: Linux
Target Milestone: alpha
: ---
Deadline: 2010-12-16
Assignee: David O'Brien
QA Contact: ecs-bugs
Keywords: Documentation
: 488905 646216 (view as bug list)
Depends On: 488905
Blocks: 431020 freeipa20 489811 646217
TreeView+ depends on / blocked
Reported: 2010-10-25 00:44 UTC by David O'Brien
Modified: 2011-07-04 01:53 UTC (History)
4 users (show)

Clone Of: 488905
Last Closed: 2011-07-04 01:52:58 UTC

Attachments (Terms of Use)

Comment 4 David O'Brien 2010-11-29 03:25:49 UTC
*** Bug 488905 has been marked as a duplicate of this bug. ***

Comment 5 David O'Brien 2010-11-29 05:33:13 UTC
I have a question about step #3:

3. To request a certificate for that service: 
# ipa cert-request --principal=test/ipa.example.com example.csr

Does "example.csr" need to already exist? I tried to follow this procedure just using example names, etc., and got "no such file or directory" at this step.

# ipa host-show myclient
  Host name: myclient.mydomain.net
  Principal name: host/myclient.mydomain.net@MYDOMAIN.NET
  Keytab: False
  Managed by: myclient.mydomain.net
[root@myserver ~]# ipa service-add test/myclient.mydomain.net
Added service "test/myclient.mydomain.net@MYDOMAIN.NET"
  Principal: test/myclient.mydomain.net@MYDOMAIN.NET
  Managed by: myclient.mydomain.net
[root@myserver ~]# ipa cert-request --principal=test/myclient.mydomain.net example.csr
ipa: ERROR: invalid 'csr-file': example.csr: No such file or directory:

Nothing after that.

Thanks for any help.

Comment 6 Rob Crittenden 2010-11-29 15:10:09 UTC
From ticket https://fedorahosted.org/freeipa/ticket/520

The format of the CSR is partly dependent upon the CA backend you are using.

If you are using dogtag then the only part of the request subject that is used is the CN, all other components are ignored.

If you are using the selfsign CA backend then the subject must match the configured certificate subject base. You can find this with:

$ ipa config-show
  Certificate Subject base: O=EXAMPLE.COM

This means you need to use EXAMPLE.COM for the organization. Other requests will be rejected.

Generate a CSR using openssl:

NOTE: Enter a period (.) for the country, state, locality and organizational unit if you are using the selfsign backend.

$ openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout private.key
Generating a 2048 bit RSA private key
writing new private key to 'privateKey.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:.
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:.
Organization Name (eg, company) [My Company Ltd]:EXAMPLE.COM
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ipa.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Using NSS:

If you don't already have an NSS database to store your key in, create one:
$ certutil -N -d /path/to/database/dir
$ certutil -R -s "CN=ipa.example.com, O=EXAMPLE.COM" -d /path/to/database/dir -a > example.csr

Comment 8 David O'Brien 2010-12-01 01:56:44 UTC
*** Bug 646216 has been marked as a duplicate of this bug. ***

Comment 9 Andrew Ross 2010-12-02 02:04:51 UTC
Verified: Red_Hat_Enterprise_Linux-Enterprise_Identity_Management_Guide-6-web-en-US-0.1-8.el5

Minor note: mentions dogtag "If you are using Dogtag"

Comment 10 David O'Brien 2010-12-06 02:39:20 UTC
These occurrences of Fedora/Dogtag/whatever vs the RH == are slowly being addressed with condition tags. Eventually I'll be able to build either "at the flick of a tag", so to speak.

Note You need to log in before you can comment on or make changes to this bug.