Stephen Ingram wrote:
Looking at the logs when FreeIPA server is first setup, it is easy to
see that the only real information included for the CA besides the CN
is the organization which is set to the kerberos realm. I'm creating
some certificates manually to test out the various parts of a manual
client join. I notice that if I include more information such as MAIL,
L, ST, C, or, a Subject Alternate Name the certificate request is
denied by IPA with the error:

ipa: ERROR: invalid 'fqdn': must be Unicode text

Is this due to fact that the installation routine doesn't allow
additional attributes for the CA itself so the CA won't allow you to
include this information in the certificates, or some other issue? It
works perfectly when I only use
"CN=clientname.example.com,O=EXAMPLE.COM" for the subject of the
certificate.

Steve

Well, that isn't the right error message. It should be complaining that the subject doesn't match.

You can't include extra subject information. With a dogtag CA install it will all be silently dropped. A selfsign CA install does validation to ensure it matches the subject.

The subject base is configurable only at install time.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to