Hi,
I need to create a new certificate for my Asus router. The router is not part of freeipa domain so I need to manually update the certificate when it expires.
getcert request -k /etc/pki/router_private -f /etc/pki/router_cert -D router.my.lan -N "cn=router.my.lan" -K http/router.my.lan -c IPA
then getcert list shows this:
Request ID '20170722085458':
status: CA_REJECTED
ca-error: Server at https://ipa.my.lan/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/router.my.lan@MY.LAN,cn=services,cn= accounts,dc=my,dc=lan'.).
stuck: yes
key pair storage: type=FILE,location='/etc/pki/router_private'
certificate: type=FILE,location='/etc/pki/router_cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
I then removed the existing HTTP/router.my.lan principal but then I get:
ca-error: Server at https://ipa.win.lan/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=http/router.my.lan@MY.LAN ,cn=services,cn=accounts,dc=my,dc=lan'.).
Any hints on how I create the certificate?
-- john
freeipa-users@lists.fedorahosted.org