On Wed, Aug 04, 2021 at 07:41:11AM -0000, Nerd Invert via FreeIPA-users wrote: > I have a piece of equipment with a web interface, for which I > would like to generate a certificate. The web interface supports > generating a CSR, but it's not possible to customize very much, > and this gives problems when trying to feed the CSR into FreeIPA. > > The relevant parts of the CSR look like this: > > Certificate Request: > Data: > Version: 2 (0x2) > Subject: emailAddress=redac...@example.com, C=redacted, ST=redacted, > L=redacted, O=redacted, OU=redacted, CN=equipment0.example.local > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > ... > Exponent: redacted > Attributes: > Requested Extensions: > X509v3 Subject Key Identifier: > AB:84:B3:86:45:E9:66:86:F2:35:FB:88:56:B4:36:B4:1A:6A:B1:86 > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Key Encipherment > X509v3 Subject Alternative Name: > DNS:equipment0.example.local, DNS:169.254.0.1, IP > Address:169.254.0.1 > Signature Algorithm: sha256WithRSAEncryption > ... > > When feeding this CSR to FreeIPA, I get the following error: > > The service principal for subject alt name 169.254.0.1 in > certificate request does not exist > > I don't know where this 169.254.0.1 comes from, or how to change > this. Is there a workaround to make FreeIPA accept this? Can I > create that as a HTTP service and attach to the host?
Greetings. This is a zeroconf IP address. It is strange for the device to include it in a CSR as an SAN iPAddressName value. And it is outright wrong to include it as a SAN dNSName value. Apart from hacking the code that validates certificate requests, there is no way around this in FreeIPA. There is no way to relax the rigourous CSR validation FreeIPA performs, and that is by design. Perhaps you can get at the private key and generate a valid CSR yourself? Or perhaps there is a way to import a private key (with or without certificate) into the device. Otherwise, you could raise a ticket with the vendor for assistance. Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
