Yes, that appears to be the problem. We have not confirmed it yet with the customer, but tests we did with a test root-ca (openssl) did show that the certificate needs to have the same order of the DN components as the csr in order for FreeIPA to accept it.
Our tests also showed that we can set the order on both sides, meaning that the FreeIPA server accepted the certificate if it was signed with (FreeIPA and NSS) CSR: CN,O,C CERT: CN,O,C and (OpenSSL) CSR: C,O,CN CERT: C,O,CN The order of the values can be configured on either the FreeIPA server when creating the csr by rearanging the order of the DN components or on the root-ca end with modifying the configuration file openssl uses: [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional Thanks, Anestis _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
