On 02/21/2013 07:23 PM, Kendrick . wrote:
It is part of my initial setup. I copied the ipa.csr in to cacert's
signing system so that the certificates would be valid outside of my
local domain. and it errors because the host information said
certificate authority instead of the host name if I understand that
error mesage properly.
I am trying to get the csr to provide all the information needed by
cacerts free signing service. I was expecting to be able to use the
user certificates that freeipa makes to sign emails and such that would
go externally.
The CA will only sign a cert for a domain registered to you. To see what
domain the CSR is for dump it's contents using openssl, for example:
openssl req -in ipa.csr -noout -text
Does the CN in the subject match the domain you registered with
cacert.org? If not it's not going to sign it.
But wait, there's more, you're not just asking cacert to sign a plain
cert you're asking it to sign a CA cert effectively creating a sub-CA of
cacert. That means with that cert you can issue new certs and cacert
will "vouch" for them, but of course they can't control who you're
issuing certs to which is a significant security issue. This FAQ entry
from cacert will help clarify:
http://wiki.cacert.org/SubRoot
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
