Stephen Ingram wrote:
Looking at the logs when FreeIPA server is first setup, it is easy to
see that the only real information included for the CA besides the CN
is the organization which is set to the kerberos realm. I'm creating
some certificates manually to test out the various parts of a manual
client join. I notice that if I include more information such as MAIL,
L, ST, C, or, a Subject Alternate Name the certificate request is
denied by IPA with the error:

ipa: ERROR: invalid 'fqdn': must be Unicode text

Is this due to fact that the installation routine doesn't allow
additional attributes for the CA itself so the CA won't allow you to
include this information in the certificates, or some other issue? It
works perfectly when I only use
",O=EXAMPLE.COM" for the subject of the


Well, that isn't the right error message. It should be complaining that the subject doesn't match.

You can't include extra subject information. With a dogtag CA install it will all be silently dropped. A selfsign CA install does validation to ensure it matches the subject.

The subject base is configurable only at install time.


Freeipa-users mailing list

Reply via email to