Looking at the logs when FreeIPA server is first setup, it is easy to see that the only real information included for the CA besides the CN is the organization which is set to the kerberos realm. I'm creating some certificates manually to test out the various parts of a manual client join. I notice that if I include more information such as MAIL, L, ST, C, or, a Subject Alternate Name the certificate request is denied by IPA with the error:
ipa: ERROR: invalid 'fqdn': must be Unicode text Is this due to fact that the installation routine doesn't allow additional attributes for the CA itself so the CA won't allow you to include this information in the certificates, or some other issue? It works perfectly when I only use "CN=clientname.example.com,O=EXAMPLE.COM" for the subject of the certificate. Steve _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
