Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 488905

Summary: Document option to automatically create service principal and/or certs when a new service is set up (later than machine join)
Product: [Retired] freeIPA Reporter: David O'Brien <daobrien>
Component: DocumentationAssignee: David O'Brien <daobrien>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.0CC: benl, dpal, jgalipea, rcritten
Target Milestone: v2 releaseKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 646214 (view as bug list) Environment:
Last Closed: 2010-11-29 03:25:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 431020, 431022, 489811, 646214, 646217    

Description David O'Brien 2009-03-06 05:26:24 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 David O'Brien 2009-03-08 21:55:26 UTC 
Version set to 1.1 by  mistake. Resetting to 2.0
Comment 2 David O'Brien 2010-02-01 04:48:12 UTC 
mailed the list for info
Comment 3 Rob Crittenden 2010-02-01 15:45:20 UTC 
Not sure I understand the topic. Creating services/certs is always going to have some amount of manual intervention after the initial realm join.

You first have to ensure that the host exists (which it should if it has joined the realm): ipa host-show ipa.example.com

To create a service: ipa service-add test/ipa.example.com

To request a certificate for that service: ipa cert-request --principal=test/ipa.example.com example.csr

Note that you can use --add to create the service when the certificate is requested. example.csr is a file containing the certificate request.

Another alternative is to use certmonger to manage the certificate request process for you: ipa-getcert request -d /etc/pki/nssdb -n Server-Cert

/etc/pki/nssdb is the global NSS database
Server-Cert is the nickname of this certificate which needs to be unique in that database. There is nothing magical about this name, it can be anything.

Use ipa-getcert list to show the current status of certificates managed by certmonger
Comment 5 David O'Brien 2010-11-29 03:25:49 UTC 

*** This bug has been marked as a duplicate of bug 646214 ***