Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
11.2. Adding Services and Certificates for Services
While services can use keytabs, some services require certificates for access. In that case, a service can be added (or modified) to include a certificate with its service entry.
11.2.1. Adding Services and Certificates from the Web UI
- Open the Identity tab, and select the Services subtab.
- Click the Add link at the top of the services list.
- Select the service type from the drop-down menu, and give it a name.
- Select the hostname of the IdM host on which the service is running. The hostname is used to construct the full service principal name.
- Click the Add and Edit button to go directly to the service entry page.
- Scroll to the bottom of the page, to the Service Certificate section.
- Click the New Certificate button to create the service certificate.
11.2.2. Adding Services and Certificates from the Command Line
- Create the service principal. The service is recognized through a name like service/FQDN:
[jsmith@ipaserver ~]$ kinit admin [jsmith@ipaserver ~]$ ipa service-add serviceName/hostname
For example:$ ipa service-add HTTP/server.example.com ------------------------------------------------------- Added service "HTTP/server.example.com@EXAMPLE.COM" ------------------------------------------------------- Principal: HTTP/server.example.com@EXAMPLE.COM Managed by: ipaserver.example.com
- Create a certificate for the service. Be sure to copy the keytab to the appropriate directory for the service.For example:
$ ipa cert-request --principal=HTTP/web.example.com example.csr
Note
Use the--addoption to create the service automatically when requesting the certificate.Alternatively, use thegetcertcommand, which creates and manages the certificate throughcertmonger. The options are described more in Section B.1, “Requesting a Certificate with certmonger”.$ ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/client1.example.com -N 'CN=client1.example.com,O=EXAMPLE.COM'
