Note: I’ve tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated
I’m new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.
I verify I get a krbtgt using
klist using the credentials of Certificate Admin.
$ klist Valid starting Expires Service principal 01/05/2022 5:35:35 01/06/2022 5:35:35 krbtgt/MYDOM@MYDOM renew until 01/12/2022 5:35:35
sudo /usr/bin/ipa-getcert request -r -w -k /tmp/test.key \ -f /tmp/test.cert.pem \ -g 4096 -K HTTP/service.mydom \ -T caIPAserviceCert \ -D test.myDom -N CN=test.myDom,O=MYDOM New signing request "20220105093346" added.
Only thing being created is the private key:
$ ls /tmp test.key
Why isn’t the certificate being created ? Insufficient privileges.
$ sudo getcert list Number of certificates and requests being tracked: 1. Request ID '20220105093346': status: CA_REJECTED ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom@MYDOM,cn=services,cn=accounts,dc=mydom'.). stuck: yes key pair storage: type=FILE,location='/tmp/test.key' certificate: type=FILE,location='/tmp/test.cert.pem' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
Though I am able to run
$ ipa service-mod HTTP/service.mydom --certificate=
Possible duplicatae freeipa-request-certificate-with-cname