Fredrik Arneving via FreeIPA-users wrote: > Hi, > > I've tried to setup my freeIPA server on a freshly installed CentOS8 as a > sub_CA of my existing PKI with private root-CA. My signing-CA has a match > policy for (C)ountry and (O)rganizationName. > When trying to sign the CSR generated from freeIPA with command below it > fails on a string encryption mismatch. > > The string encryption on my organizationName, as well as my server DN is in > PRINTABLESTRING encoding but my openssl generated signing cert needs it to be > UTF8STRING. > I was under the impression UTF8STRING is default for freeIPA CSR's. What do I > miss and how can I force it to be UTF8STRING? > > > CSR was generated with command: > > ipa-server-install -r MYREALM.AS.UPPERCASE.DNSDOMAIN \ > --external-ca \ > --ca-subject CN=ipa-server-fqdn,C=SE,O=MyOrganizationName \ > --ca-base C=SE,O=MyOrganizationName > > Installation is successful and I'm supposed to sign the CSR and finalize > ipa-install with second step. However, the signing fails because > MyOranizationName != MyOrganizationName due to different encodings. > > When looking at the CSR with "openssl req -noout -text -in ipa.csr" > everything looks OK but when using "openssl asn1parse -in ipa.csr" it shows > the mismatch of the organizationName PRINTABLESTRING compared to my > successfully signed CSR's UTF8STRING. > > Any ideas? > > kernel version: 4.18.0-147.5.1.el8_1.x86_64 > ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64 > openssl: openssl-1.1.1c-2.el8.x86_64
Does https://pagure.io/freeipa/issue/7042 help? rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org