Oleg, could you add what exact values have you tried. From this description it is unclear for what kind(user/host/service) of principal you've been issuing the cert.
I created a user and was able to issue a certificate for him:
# certutil -d certs -R -s "CN=testuser" -o test.csr -z /etc/group -f certs/pwd -a # ipa cert-request test.csr --principal=testuser --profile-id=caIPAuserCert
But when I repeat the same actions for a user that was not yet created, with the '--add' option of 'ipa cert-request' the command fails with "The principal for this request doesn't exist."
#certutil -d certs -R -s "CN=otheruser" -o otheruser.csr -z /etc/group -f certs/pwd -a # ipa cert-request otheruser.csr --principal=otheruser --profile-id=caIPAuserCert --add ipa: ERROR: The principal for this request doesn't exist.
Currently principal auto-creation is only supported for hosts and services.
IMO the scope of this ticket is to give a better error message if --add is attempted for a user.
patch on the list, moving to 4.4
master:
Metadata Update from @ofayans: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.