Is it possible to use certmonger to request a cert from a FreeIPA sub-CA? What is the `ipa-getcert request` command-line usage for that?
The certmonger man-pages seem to indicate the `ipa-getcert request -X ISSUER` argument. However I've been unable to find usage examples, and using neither the ipa sub-CA's name nor subject DN for ISSUER seem to work.
I haven't dug into the source yet, but the certmonger puppet module readme [1] seems to indicate the plumbing is there for request `issuer` and `issuerdn`.
Thanks for any tips.
John
On 07/12/2017 12:50 PM, John Morris via FreeIPA-users wrote:
Is it possible to use certmonger to request a cert from a FreeIPA sub-CA? What is the `ipa-getcert request` command-line usage for that?
The certmonger man-pages seem to indicate the `ipa-getcert request -X ISSUER` argument. However I've been unable to find usage examples, and using neither the ipa sub-CA's name nor subject DN for ISSUER seem to work.
I'm not sure what changed, but the `-X sub-CA-name` arg started working suddenly. Very nice!
Sadly, the `-F ca-cert-file-path` arg only gets the top-level CA cert, and not the sub-CA cert. But that can be worked around. Thanks-
John
freeipa-users@lists.fedorahosted.org