[SOLVED] How to request host/service certificate when authenticated as Certificate Admin

How to request host/service certificate when authenticated as Certificate Admin - FreeIPA?

Note: I've tried to keep things as simple as possible in this question as that is as far as my knowledge goes. Any form of help is appreciated

I'm new to FreeIPA and I struggle to request a SSL certificate and key file from FreeIPA as Certificate Authority.

I verify I get a krbtgt using klist using the credentials of Certificate Admin.

$ klist
Valid starting       Expires              Service principal
01/05/2022 5:35:35  01/06/2022 5:35:35  krbtgt/MYDOM@MYDOM
    renew until 01/12/2022 5:35:35

sudo /usr/bin/ipa-getcert request -r -w  -k /tmp/test.key \
 -f /tmp/test.cert.pem \
 -g 4096 
 -K HTTP/service.mydom \ 
 -T caIPAserviceCert \
 -D test.myDom -N CN=test.myDom,O=MYDOM


New signing request "20220105093346" added.

Only thing being created is the private key:

$ ls /tmp
test.key

Why isn't the certificate being created ? Insufficient privileges.
Error:

$ sudo getcert list

Number of certificates and requests being tracked: 1.
Request ID '20220105093346':
    status: CA_REJECTED
    ca-error: Server at https://idm.myDom/ipa/xml denied our request, giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/service.mydom@MYDOM,cn=services,cn=accounts,dc=mydom'.).
    stuck: yes
    key pair storage: type=FILE,location='/tmp/test.key'
    certificate: type=FILE,location='/tmp/test.cert.pem'
    CA: IPA
    issuer: 
    subject: 
    expires: unknown
    pre-save command: 
    post-save command: 
    track: yes
    auto-renew: yes

Though I am able to run

$ ipa service-mod HTTP/service.mydom --certificate=

Possible duplicatae freeipa-request-certificate-with-cname

Any ideas?

Solution

Turns out the machine I am requesting the certificate from needs to be allowed to manage the web service for web host.

Only the target machine can create a certificate (IPA uses the host kerberos ticket) by default, so to be able to create the certificate on your IPA server you need to allow it to manage the web service for the www host.
[root@ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan

Source: Creating certs and keys for services using freeipadogtag/