Insufficient 'write' privilege to the 'userCertificate' attribute
Hi everybody. I’m testing ipa-server 2.1.3. I’m trying to create a Certificate for vsftpd.
I can successfully create the certificate with the following command:
# ipa cert-request --add --principal=FTP/ftp.linux.com.py ftp.csr
But I want to create certificates with subjectAltName DNS extensions, and it seems that is not possible through an openSSL CRS and dogtag/IPA.
So I deleted the service entry, then I created again using:
# ipa service-add FTP/ftp.linux.com.py
Then, I try to create the certificate using the following command:
# ipa-getcert request -k /etc/vsftpd/private/ftp.key -f /etc/vsftpd/certs/ftp.crt -N "cn=ftp.linux.com.py" -D "cn=le-303.linux.com.py" -D "cn=ftp" -D "cn=le-303" -K FTP/ftp.linux.com.py
But I have the following error:
Request ID '20120108062420':
status: CA_REJECTED
ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=ftp/ftp linux com py linux com py,cn=services,cn=accounts,dc=linux,dc=com,dc=py'.).
stuck: yes
key pair storage: type=FILE,location='/etc/vsftpd/private/ftp.key'
certificate: type=FILE,location='/etc/vsftpd/certs/ftp.crt'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
It looks like there is a problem with an ACI, or admin principal is not having enough privileges.
¿Anyone gime me some hints?
I need to sign certificates with DNS subjectAltName with IPA.
Thanks in advance.
Responses