Looking at the logs when FreeIPA server is first setup, it is easy to
see that the only real information included for the CA besides the CN
is the organization which is set to the kerberos realm. I'm creating
some certificates manually to test out the various parts of a manual
client join. I notice that if I include more information such as MAIL,
L, ST, C, or, a Subject Alternate Name the certificate request is
denied by IPA with the error:

ipa: ERROR: invalid 'fqdn': must be Unicode text

Is this due to fact that the installation routine doesn't allow
additional attributes for the CA itself so the CA won't allow you to
include this information in the certificates, or some other issue? It
works perfectly when I only use
"CN=clientname.example.com,O=EXAMPLE.COM" for the subject of the
certificate.

Steve

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to