On Thu, Sep 06, 2018 at 10:00:00AM -0000, Peter Tselios via FreeIPA-users wrote: > Hello, > I want to use the company's MS-CA as the single CA and thus I had to change > the FreeIPA certificate. > The process was smooth until the point of importing the certificate in the > FreeIPA. > I got this: > =============================================== > ipa-cacert-manage renew --external-cert-file=./ms-crt.pem > Importing the renewed CA certificate, please wait > Subject name encoding mismatch (visit > http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) > The ipa-cacert-manage command failed. > =============================================== > > The documentation is very clear: FreeIPA issues CSRs in UTF8. > The MS-CA uses PRINTABLESTRING in the subject and the issuer. > The MS admins/engineer do not want to change this to UTF 8, so, I am a little > bit stuck here. > > Is there anyway to configure FreeIPA to issue the CSR in PRINTABLESTRING and > import it? > Or the only acceptable by FreeIPA format is UTF8? > Hi Peter,
The mismatch between the CSR and the issued certificate is not the problem. Generating a CSR with PRINTABLESTRING encoding will not help. The problem is that the new certificate's DN encoding differs from the existing CA certificate subject DN. Many programs will encounter problems if the CA subject DN encoding changes (i.e. they perform binary exact match on DNs and do not recognise the new certificate as the same CA). Therefore we do not allow the Subject DN encoding to change. You will have to plead with your AD admins to allow the certificate to be issued with string encodings that match the existing certificate. Incidentally, FreeIPA will accept any valid string encoding during installation. But the encoding must remain the same when renewing the CA certificate (which includes switching from self-signed to externally-signed or vice-versa). Hope that has helped you understand this limitation. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
