[Freeipa-users] Fwd: manual client join
Stephen Ingram
sbingram at gmail.com
Mon Dec 19 02:05:06 UTC 2011
On Mon, Dec 5, 2011 at 12:49 PM, Rob Crittenden <rcritten at redhat.com> wrote:
...snip...
>
> Be sure that the CN value is the FQDN of your server.
>
> IPA server:
> # ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem
> # ipa service-show --out=/tmp/service.crt HTTP/remote.example.com
>
> Your cert will be in /tmp/service.crt and PEM formatted for easy use. The
> output of cert-request is just a base64 blob.
>
...snip...
>
> This may be handy to augment the IPA documentation too if you want to donate
> back your findings :-)
OK, I'm going through lots of different scenarios to try to document
this entire process and ran into one problem so far. Using your
suggested command above to retrieve the cert via the command line:
ipa service-show --out=/tmp/service.crt HTTP/remote.example.com
This does not work for the host certficiate:
e.g. ipa service-show --out=/tmp/service.crt host/remote.example.com
While it is now easy to get the PEM formatted cert from the UI in
version 2.1.4, I don't see any way to obtain this particular cert from
the command line other than
ipa cert-show {serial number}
which is obviously not very convenient.
Is there another way I'm missing or is that it?
Steve
More information about the Freeipa-users
mailing list