Stephen Ingram wrote:
Looking at the logs when FreeIPA server is first setup, it is easy to
see that the only real information included for the CA besides the CN
is the organization which is set to the kerberos realm. I'm creating
some certificates manually to test out the various parts of a manual
client join. I notice that if I include more information such as MAIL,
L, ST, C, or, a Subject Alternate Name the certificate request is
denied by IPA with the error:
ipa: ERROR: invalid 'fqdn': must be Unicode text
Is this due to fact that the installation routine doesn't allow
additional attributes for the CA itself so the CA won't allow you to
include this information in the certificates, or some other issue? It
works perfectly when I only use
"CN=clientname.example.com,O=EXAMPLE.COM" for the subject of the
certificate.
Steve
Well, that isn't the right error message. It should be complaining that
the subject doesn't match.
You can't include extra subject information. With a dogtag CA install it
will all be silently dropped. A selfsign CA install does validation to
ensure it matches the subject.
The subject base is configurable only at install time.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users