[Freeipa-users] Re: FREEIPA - TLS - CN > 64 characters

Mon, 19 Oct 2020 20:35:13 -0700 

On Mon, Oct 19, 2020 at 11:42:08PM +1000, Fraser Tweedale via FreeIPA-users 
wrote:
> On Mon, Oct 19, 2020 at 06:52:20AM -0000, Krzysztof O via
> FreeIPA-users wrote:
> > Hello,
> > 
> > I'd like to ask of is there any workaround for issuing
> > certificates that will have Common Name longer that 64 characters?
> > 
> > For FREEIPA version less than 4.8.0 which is designated for RHEL
> > 8, when we will have to stay with current version of RHEL 7.
> > 
> > Regards, Krzysztof
> 
> Hi Krzysztof,
> 
> X.509 imposes the limit of 64 characters in the Common Name
> attribute.  There is no workaround to exceed this limit.  But
> assuming this is a host or service certificate bearing DNS names,
> you can work around it another way:
> 
> Add a principal alias to the host/service entry via `ipa
> {host,service}-add-principal command.  The principal alias should
> have the same service type as the main object, i.e.
> "host/$HOSTNAME" for a host princpal, "HTTP/$HOSTNAME" for a HTTP
> service principal, etc.  The hostname in the principal alias should
> be shorter than 64 characters.
> 
> Create a CSR with the shorter hostname in the CN attribute, and the
> longer hostname in the SAN DNS name.  Then you will be able to
> request the certificate.
> 
> The proper solution would be to support issuing certificates with
> empty subject DN.  I thought I previously filed a ticket for this,
> but I can't find it now.
> 
Found the ticket: https://pagure.io/freeipa/issue/5706

I also wrote a blog post about this, detailing the workaround
procedure:
https://frasertweedale.github.io/blog-redhat/posts/2020-10-20-ipa-cert-long-hostname.html

Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to