On 02/21/2013 07:23 PM, Kendrick . wrote:
It is part of my initial setup.  I copied the ipa.csr in to cacert's
signing system so that the certificates would be valid outside of my
local domain.  and it errors because the host information said
certificate authority instead of the host name if I understand that
error mesage properly.

I am trying to get the csr to provide all the information needed by
cacerts free signing service.  I was expecting to be able to use the
user certificates that freeipa makes to sign emails and such that would
go externally.

The CA will only sign a cert for a domain registered to you. To see what domain the CSR is for dump it's contents using openssl, for example:

openssl req -in ipa.csr -noout -text

Does the CN in the subject match the domain you registered with cacert.org? If not it's not going to sign it.

But wait, there's more, you're not just asking cacert to sign a plain cert you're asking it to sign a CA cert effectively creating a sub-CA of cacert. That means with that cert you can issue new certs and cacert will "vouch" for them, but of course they can't control who you're issuing certs to which is a significant security issue. This FAQ entry from cacert will help clarify:


John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to