I may well have messed this up, but here's what I've done: # ipa host-add --force damascusgrp.com ---------------------------- Added host "damascusgrp.com" ---------------------------- Host name: damascusgrp.com Principal name: host/[email protected] Principal alias: host/[email protected] Password: False Member of host-groups: allow_all_hosts Indirect Member of netgroup: allow_all_hosts Keytab: False Managed by: damascusgrp.com # ipa certprofile-show caIPAserviceCert --out SubCA.cfg ------------------------------------------------ Profile configuration stored in file "SubCA.cfg" ------------------------------------------------ Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE # vim SubCA.cfg : profileId=damascusgrp.com : # ipa certprofile-import 'damascusgrp.com' --desc "Web Team CA" --file SubCA.cfg --store=1 ipa: ERROR: invalid 'id': invalid Profile ID
-- Bret Wortman [email protected] On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote: > Just to be clear, I'm going to follow the steps, but instead of setting > up sub.ipa.local, I'm going to instead use simply "damascusgrp.com", > yielding a principal named host/[email protected], right? > And then proceed through the rest of the steps. > > > -- > Bret Wortman > [email protected] > > On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote: > > Okay, I'll give it a try. Thanks! > > > > > > -- > > Bret Wortman > > [email protected] > > > > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote: > > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote: > > > > Fraser, > > > > > > > > It doesn't look like we fit the model. Our IPA CA's cert is as > > > > expected, but the other one is: > > > > > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer= > > > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG > > > > Web Team Root CA > > > > > > > > Since I don't see a hostname in there anywhere (and in fact, > > > > further conversations with this team turned up the fact that > > > > they're just creating these by hand using openssl commands rather > > > > than running any sort of service at all), I'm hesitant to just > > > > barge ahead and try to make it work on my own... > > > > > > The CN (damascusgrp.com) is a domain name. You can add a host > > > object with that name to FreeIPA. I think the procedure outlined in > > > the blog post should work for you. > > > > > > Cheers, > > > Fraser > > > > > > > > > > > -- > > > > Bret Wortman > > > > [email protected] > > > > > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via > > > > > FreeIPA-users wrote: > > > > > > We had a developer team deploy their own CA and then issue a slew > > > > > > of certificates for users' workstations and other servers, and now > > > > > > they want us to deploy those certificates more widely. I'd rather > > > > > > find a way to bring their CA under ours so that the root CA > > > > > > certificate we already distribute will make theirs "just work" > > > > > > rather than having to distribute another set of root CA > > > > > > certificates. > > > > > > > > > > > > Is this possible, or would they have to start over and build a > > > > > > subordinate CA from the ground up to make it work? If it's perhaps > > > > > > possible, under what circumstances? > > > > > > > > > > > Hi Bret, > > > > > > > > > > It is possible, but there are restrictions about what the sub-CAs > > > > > subject DN can be. Have a read of this blog post: > > > > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > > > > > > > > > > If your developer team's CA certificate does not fit those > > > > > requirements, please share the details of the certificate > > > > > (especially Subject DN) and I'll see if I can find a workaround. > > > > > > > > > > Cheers, > > > > > Fraser > > > > > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > Bret > > > > > > _______________________________________________ > > > > > > FreeIPA-users mailing list -- [email protected] > > > > > > To unsubscribe send an email to > > > > > > [email protected] > > > > > > Fedora Code of Conduct: > > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > > List Guidelines: > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > Do not reply to spam on the list, report it: > > > > > > https://pagure.io/fedora-infrastructure > > > > > > > > > > > > > > > > > > > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
