Mikaël ANDRE via FreeIPA-users wrote:
> Hi evrybody,
> With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi
> and HP ILO certificates to my FreeIPA server.
> I create csr with the following command: "openssl req -new -sha256
> -nodes -config openssl.cfg -newkey rsa:2048 -keyout esxi.key -out esxi.csr"
> My OpenSSL configuration file contains the following informations:
> [ req ]
> default_bits = 2048
> default_keyfile = rui.key
> distinguished_name = req_distinguished_name
> encrypt_key = no
> prompt = no
> string_mask = nombstr
> req_extensions = v3_req
> [ v3_req ]
> basicConstraints = CA:FALSE
> keyUsage = digitalSignature, keyEncipherment, dataEncipherment
> extendedKeyUsage = serverAuth, clientAuth
> subjectAltName = DNS:esxi, IP:X.X.X.X, DNS:esxi.example.com
> [ req_distinguished_name ]
> countryName = FR
> stateOrProvinceName = Province
> localityName = Town
> 0.organizationName = Corporate
> organizationalUnitName = IT Services
> commonName = esxi.example.com <http://esxi.example.com>
> Then, I use the "cat" command to display the certificate signin request,
> I copy it and I paste into my FreeIPA.
> On my FreeIPA WebGui, I declare a host named esxi, I click on it, then
> on the "action" button and finally "New certificate".
> I select IPA for Certificate Authority, I use caIPAserviceCert profil
> ID, I paste the CSR and click.
> I get the following error message:
> Insufficient access : Subject alt name type IP Address is forbidden
> I need to keep IP Address in SAN. Is there a way to authorize IPA to
> sign my certificate? Many thanks.
IPA tries to validate that the certificates it issues are managed within
the IPA realm and IP address validation is difficult when IPA isn't
managing DNS (and we didn't want to make it required).
The only workaround would be code changes on the IPA server side to
remove the restriction.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org