• Uncategorized

About linux : How-to-request-hostservice-certificate-when-authenticated-as-Certificate-Admin—FreeIPA

Question Detail

Note: I’ve tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated

I’m new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.

I verify I get a krbtgt using klist using the credentials of Certificate Admin.

$ klist
Valid starting       Expires              Service principal
01/05/2022 5:35:35  01/06/2022 5:35:35  krbtgt/MYDOM@MYDOM
    renew until 01/12/2022 5:35:35

sudo /usr/bin/ipa-getcert request -r -w  -k /tmp/test.key \
 -f /tmp/test.cert.pem \
 -g 4096 
 -K HTTP/service.mydom \ 
 -T caIPAserviceCert \
 -D test.myDom -N CN=test.myDom,O=MYDOM

New signing request "20220105093346" added.

Only thing being created is the private key:

$ ls /tmp

Why isn’t the certificate being created ? Insufficient privileges.

$ sudo getcert list

Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
    status: CA_REJECTED
    ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom@MYDOM,cn=services,cn=accounts,dc=mydom'.).
    stuck: yes
    key pair storage: type=FILE,location='/tmp/test.key'
    certificate: type=FILE,location='/tmp/test.cert.pem'
    CA: IPA
    expires: unknown
    pre-save command: 
    post-save command: 
    track: yes
    auto-renew: yes

Though I am able to run

$ ipa service-mod HTTP/service.mydom --certificate=

Possible duplicatae freeipa-request-certificate-with-cname

Any ideas?

Question Answer

Turns out the machine I am requesting the certificate from needs to be allowed to manage the web service for web host.

Only the target machine can create a certificate (IPA uses the host
kerberos ticket) by default, so to be able to create the certificate
on your IPA server you need to allow it to manage the web service for
the www host.
[root@ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan

Creating certs and keys for services using freeipadogtag/

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.