Hi evrybody,

With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi and
HP ILO certificates to my FreeIPA server.
I create csr with the following command: "openssl req -new -sha256 -nodes
-config openssl.cfg -newkey rsa:2048 -keyout esxi.key -out esxi.csr"

My OpenSSL configuration file contains the following informations:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:esxi, IP:X.X.X.X, DNS:esxi.example.com

[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Province
localityName = Town
0.organizationName = Corporate
organizationalUnitName = IT Services
commonName = esxi.example.com

Then, I use the "cat" command to display the certificate signin request, I
copy it and I paste into my FreeIPA.

On my FreeIPA WebGui, I declare a host named esxi, I click on it, then on
the "action" button and finally "New certificate".
I select IPA for Certificate Authority, I use caIPAserviceCert profil ID, I
paste the CSR and click.

I get the following error message:
Insufficient access : Subject alt name type IP Address is forbidden

I need to keep IP Address in SAN. Is there a way to authorize IPA to sign
my certificate? Many thanks.

Cordialement/Best regards,

Mikaël ANDRÉ
Mobile : +33 6 28 71 19 89
Mail : mikael.andre.1...@gmail.com
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to