[Freeipa-users] Fwd: manual client join
John Dennis
jdennis at redhat.com
Mon Dec 19 13:36:24 UTC 2011
On 12/18/2011 09:05 PM, Stephen Ingram wrote:
> On Mon, Dec 5, 2011 at 12:49 PM, Rob Crittenden<rcritten at redhat.com> wrote:
>
> ...snip...
>
>>
>> Be sure that the CN value is the FQDN of your server.
>>
>> IPA server:
>> # ipa cert-request --prinicipal HTTP/remote.example.com /path/to/csr.pem
>> # ipa service-show --out=/tmp/service.crt HTTP/remote.example.com
>>
>> Your cert will be in /tmp/service.crt and PEM formatted for easy use. The
>> output of cert-request is just a base64 blob.
>>
> ...snip...
>>
>> This may be handy to augment the IPA documentation too if you want to donate
>> back your findings :-)
>
> OK, I'm going through lots of different scenarios to try to document
> this entire process and ran into one problem so far. Using your
> suggested command above to retrieve the cert via the command line:
>
> ipa service-show --out=/tmp/service.crt HTTP/remote.example.com
>
> This does not work for the host certficiate:
>
> e.g. ipa service-show --out=/tmp/service.crt host/remote.example.com
>
> While it is now easy to get the PEM formatted cert from the UI in
> version 2.1.4, I don't see any way to obtain this particular cert from
> the command line other than
>
> ipa cert-show {serial number}
>
> which is obviously not very convenient.
>
> Is there another way I'm missing or is that it?
Sorry, but currently on the command line the only way to specify a
certificate is via it's serial number. The serial number is the only
identifier guaranteed to be unique. However, I agree it's not
convenient. Would you like to open an RFE (Request for Enhancement) on
https://fedorahosted.org/freeipa/
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list