如何在认证为证书管理员时请求 host/service 证书 - FreeIPA?
How to request host/service certificate when authenticated as Certificate Admin - FreeIPA?
注意:据我所知,在这个问题上我尽量保持简单。感谢任何形式的帮助
我是 FreeIPA 的新手,我很难从作为证书颁发机构的 FreeIPA 请求 SSL 证书和密钥文件。
我使用 Certificate Admin.
的凭据验证我使用 klist 获得了 krbtgt
$ klist
Valid starting Expires Service principal
01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM@MYDOM
renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \
-f /tmp/test.cert.pem \
-g 4096
-K HTTP/service.mydom \
-T caIPAserviceCert \
-D test.myDom -N CN=test.myDom,O=MYDOM
New signing request "20220105093346" added.
唯一创建的是私钥:
$ ls /tmp
test.key
为什么没有创建证书?权限不足。
错误:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
status: CA_REJECTED
ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom@MYDOM,cn=services,cn=accounts,dc=mydom'.).
stuck: yes
key pair storage: type=FILE,location='/tmp/test.key'
certificate: type=FILE,location='/tmp/test.cert.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
虽然我可以运行
$ ipa service-mod HTTP/service.mydom --certificate=
可能重复freeipa-request-certificate-with-cname
有什么想法吗?
原来我请求证书的机器需要被允许管理网络主机的网络服务。
Only the target machine can create a certificate (IPA uses the host
kerberos ticket) by default, so to be able to create the certificate
on your IPA server you need to allow it to manage the web service for
the www host.
[root@ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
来源:
Creating certs and keys for services using freeipadogtag/
注意:据我所知,在这个问题上我尽量保持简单。感谢任何形式的帮助
我是 FreeIPA 的新手,我很难从作为证书颁发机构的 FreeIPA 请求 SSL 证书和密钥文件。
我使用 Certificate Admin.
的凭据验证我使用klist 获得了 krbtgt
$ klist
Valid starting Expires Service principal
01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM@MYDOM
renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \
-f /tmp/test.cert.pem \
-g 4096
-K HTTP/service.mydom \
-T caIPAserviceCert \
-D test.myDom -N CN=test.myDom,O=MYDOM
New signing request "20220105093346" added.
唯一创建的是私钥:
$ ls /tmp
test.key
为什么没有创建证书?权限不足。
错误:
$ sudo getcert list
Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
status: CA_REJECTED
ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom@MYDOM,cn=services,cn=accounts,dc=mydom'.).
stuck: yes
key pair storage: type=FILE,location='/tmp/test.key'
certificate: type=FILE,location='/tmp/test.cert.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
虽然我可以运行
$ ipa service-mod HTTP/service.mydom --certificate=
可能重复freeipa-request-certificate-with-cname
有什么想法吗?
原来我请求证书的机器需要被允许管理网络主机的网络服务。
Only the target machine can create a certificate (IPA uses the host kerberos ticket) by default, so to be able to create the certificate on your IPA server you need to allow it to manage the web service for the www host.
[root@ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
来源: Creating certs and keys for services using freeipadogtag/