*** Bug 488905 has been marked as a duplicate of this bug. ***

I have a question about step #3:

3. To request a certificate for that service: 
# ipa cert-request --principal=test/ipa.example.com example.csr

Does "example.csr" need to already exist? I tried to follow this procedure just using example names, etc., and got "no such file or directory" at this step.

# ipa host-show myclient
  Host name: myclient.mydomain.net
  Principal name: host/myclient.mydomain.net
  Keytab: False
  Managed by: myclient.mydomain.net
[root@myserver ~]# ipa service-add test/myclient.mydomain.net
-------------------------------------------------------
Added service "test/myclient.mydomain.net"
-------------------------------------------------------
  Principal: test/myclient.mydomain.net
  Managed by: myclient.mydomain.net
[root@myserver ~]# ipa cert-request --principal=test/myclient.mydomain.net example.csr
ipa: ERROR: invalid 'csr-file': example.csr: No such file or directory:

Nothing after that.

Thanks for any help.

From ticket https://fedorahosted.org/freeipa/ticket/520

The format of the CSR is partly dependent upon the CA backend you are using.

If you are using dogtag then the only part of the request subject that is used is the CN, all other components are ignored.

If you are using the selfsign CA backend then the subject must match the configured certificate subject base. You can find this with:

$ ipa config-show
...
  Certificate Subject base: O=EXAMPLE.COM

This means you need to use EXAMPLE.COM for the organization. Other requests will be rejected.

Generate a CSR using openssl:

NOTE: Enter a period (.) for the country, state, locality and organizational unit if you are using the selfsign backend.

$ openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout private.key
Generating a 2048 bit RSA private key
................................................+++
........................+++
writing new private key to 'privateKey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:.
State or Province Name (full name) [Berkshire]:.
Locality Name (eg, city) [Newbury]:.
Organization Name (eg, company) [My Company Ltd]:EXAMPLE.COM
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ipa.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Using NSS:

If you don't already have an NSS database to store your key in, create one:
$ certutil -N -d /path/to/database/dir
$ certutil -R -s "CN=ipa.example.com, O=EXAMPLE.COM" -d /path/to/database/dir -a > example.csr

*** Bug 646216 has been marked as a duplicate of this bug. ***

Verified: Red_Hat_Enterprise_Linux-Enterprise_Identity_Management_Guide-6-web-en-US-0.1-8.el5

Minor note: mentions dogtag "If you are using Dogtag"

These occurrences of Fedora/Dogtag/whatever vs the RH == are slowly being addressed with condition tags. Eventually I'll be able to build either "at the flick of a tag", so to speak.