Search

11.2. Adding Services and Certificates for Services

download PDF
While services can use keytabs, some services require certificates for access. In that case, a service can be added (or modified) to include a certificate with its service entry.

11.2.1. Adding Services and Certificates from the Web UI

  1. Open the Identity tab, and select the Services subtab.
  2. Click the Add link at the top of the services list.
  3. Select the service type from the drop-down menu, and give it a name.
  4. Select the hostname of the IdM host on which the service is running. The hostname is used to construct the full service principal name.
  5. Click the Add and Edit button to go directly to the service entry page.
  6. Scroll to the bottom of the page, to the Service Certificate section.
  7. Click the New Certificate button to create the service certificate.

11.2.2. Adding Services and Certificates from the Command Line

  1. Create the service principal. The service is recognized through a name like service/FQDN:
    [jsmith@ipaserver ~]$ kinit admin
    [jsmith@ipaserver ~]$ ipa service-add serviceName/hostname
    For example:
    $ ipa service-add HTTP/server.example.com 
    
    -------------------------------------------------------
    Added service "HTTP/server.example.com@EXAMPLE.COM"
    -------------------------------------------------------
      Principal: HTTP/server.example.com@EXAMPLE.COM
      Managed by: ipaserver.example.com
    
  2. Create a certificate for the service. Be sure to copy the keytab to the appropriate directory for the service.
    For example:
    $ ipa cert-request --principal=HTTP/web.example.com example.csr

    Note

    Use the --add option to create the service automatically when requesting the certificate.
    Alternatively, use the getcert command, which creates and manages the certificate through certmonger. The options are described more in Section B.1, “Requesting a Certificate with certmonger”.
    $ ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/client1.example.com -N 'CN=client1.example.com,O=EXAMPLE.COM'
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.