Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 646214

Summary: Document option to automatically create service principal and/or certs when a new service is set up (later than machine join)
Product: Red Hat Enterprise Linux 6 Reporter: David O'Brien <daobrien>
Component: doc-Identity_Management_GuideAssignee: David O'Brien <daobrien>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dpal, jgalipea, mhideo, rcritten
Target Milestone: alphaKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 6.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 488905 Environment:
Last Closed: 2011-07-04 01:52:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 488905    
Bug Blocks: 431020, 431022, 489811, 646217    
Deadline: 2010-12-16   

Comment 4 David O'Brien 2010-11-29 03:25:49 UTC 
*** Bug 488905 has been marked as a duplicate of this bug. ***
Comment 5 David O'Brien 2010-11-29 05:33:13 UTC 
I have a question about step #3:

3. To request a certificate for that service: 
# ipa cert-request --principal=test/ipa.example.com example.csr

Does "example.csr" need to already exist? I tried to follow this procedure just using example names, etc., and got "no such file or directory" at this step.

# ipa host-show myclient
  Host name: myclient.mydomain.net
  Principal name: host/myclient.mydomain.net
  Keytab: False
  Managed by: myclient.mydomain.net
[root@myserver ~]# ipa service-add test/myclient.mydomain.net
-------------------------------------------------------
Added service "test/myclient.mydomain.net"
-------------------------------------------------------
  Principal: test/myclient.mydomain.net
  Managed by: myclient.mydomain.net
[root@myserver ~]# ipa cert-request --principal=test/myclient.mydomain.net example.csr
ipa: ERROR: invalid 'csr-file': example.csr: No such file or directory:

Nothing after that.

Thanks for any help.
Comment 6 Rob Crittenden 2010-11-29 15:10:09 UTC 
From ticket https://fedorahosted.org/freeipa/ticket/520

The format of the CSR is partly dependent upon the CA backend you are using.

If you are using dogtag then the only part of the request subject that is used is the CN, all other components are ignored.

If you are using the selfsign CA backend then the subject must match the configured certificate subject base. You can find this with:

$ ipa config-show
...
  Certificate Subject base: O=EXAMPLE.COM

This means you need to use EXAMPLE.COM for the organization. Other requests will be rejected.

Generate a CSR using openssl:

NOTE: Enter a period (.) for the country, state, locality and organizational unit if you are using the selfsign backend.

$ openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout private.key
Generating a 2048 bit RSA private key
................................................+++
........................+++
writing new private key to 'privateKey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:.
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:.
Organization Name (eg, company) [My Company Ltd]:EXAMPLE.COM
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ipa.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Using NSS:

If you don't already have an NSS database to store your key in, create one:
$ certutil -N -d /path/to/database/dir
$ certutil -R -s "CN=ipa.example.com, O=EXAMPLE.COM" -d /path/to/database/dir -a > example.csr
Comment 8 David O'Brien 2010-12-01 01:56:44 UTC 
*** Bug 646216 has been marked as a duplicate of this bug. ***
Comment 9 Andrew Ross 2010-12-02 02:04:51 UTC 
Verified: Red_Hat_Enterprise_Linux-Enterprise_Identity_Management_Guide-6-web-en-US-0.1-8.el5

Minor note: mentions dogtag "If you are using Dogtag"
Comment 10 David O'Brien 2010-12-06 02:39:20 UTC 
These occurrences of Fedora/Dogtag/whatever vs the RH == are slowly being addressed with condition tags. Eventually I'll be able to build either "at the flick of a tag", so to speak.