Need to document how to generate CSRs using either openssl or NSS for use with 'ipa cert-request'
Also need to document how to use certmonger to request certs for the same or different hosts and services. Particularly how to recover from problems.
The format of the CSR is partly dependent upon the CA backend you are using.
If you are using dogtag then the only part of the request subject that is used is the CN, all other components are ignored.
If you are using the selfsign CA backend then the subject must match the configured certificate subject base. You can find this with:
$ ipa config-show ... Certificate Subject base: O=EXAMPLE.COM
This means you need to use EXAMPLE.COM for the organization. Other requests will be rejected.
Generate a CSR using openssl:
NOTE: Enter a period (.) for the country, state, locality and organizational unit if you are using the selfsign backend.
$ openssl req -out example.csr -new -newkey rsa:2048 -nodes -keyout private.key Generating a 2048 bit RSA private key ................................................+++ ........................+++ writing new private key to 'privateKey.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:. State or Province Name (full name) [Berkshire]:. Locality Name (eg, city) [Newbury]:. Organization Name (eg, company) [My Company Ltd]:EXAMPLE.COM Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ipa.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Using NSS:
If you don't already have an NSS database to store your key in, create one:
$ certutil -N -d /path/to/database/dir $ certutil -R -s "CN=ipa.example.com, O=EXAMPLE.COM" -d /path/to/database/dir -a > example.csr
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.0 - 2010/11
Login to comment on this ticket.