On 3.1.2014 22:13, James Scollard wrote:
Thanks for the reply,


Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest

I'm not sure I understand the answer.

I created the CSR and they signed it using their automation, and
returned the new ones to me for installation, which failed.
SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=. The
node itself is xxxxx.sun.weather.com, we have a wildcard certificate for
sun.weather.com, and this domain controller needs the certificate for
the domain for setup to complete.

What am I doing wrong here?

I sense some confusion about ipa-server-install options here. You use a wildcard server certificate as IPA's CA certificate, which is obviously not correct. It seems to me you are trying to do one of the following:

a) Set up IPA using your own server certificate. This is achieved using the --*_pkcs12 options.

You must create a PKCS#12 file with the certificate and its private key in order to do this. Assuming you save the PKCS#12 file to /root/ldapm6x00.sun.weather.com.p12, the command line should look something like:

# ipa-server-install --dirsrv_pkcs12=/root/ldapm6x00.sun.weather.com.p12 --http_pkcs12=/root/ldapm6x00.sun.weather.com.p12 --root-ca-file=/root/sun.weather.com.crt

b) Set up IPA including a IPA-managed CA, with the CA being a subordinate of some external CA. This is where you should use the --external* options.

First run ipa-server-install with --external-ca, which will create a CSR for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the external CA to get the IPA CA certificate. Finally, run ipa-server-install with --external_cert_file pointing to the IPA CA certificate and --external_ca_file pointing to CA certificate of the external CA.

On 1/3/14 3:58 PM, Rob Crittenden wrote:
James Scollard wrote:
When attempting to run the second part of the installation with an
external CA (Globalsign) using my signed certificate and CA certificate
chain I get the following;

[root@ldapm6x00 ~]# ipa-server-install

The log file for this installation can be found in
Directory Manager password:

Subject of the external certificate is not correct (got
CN=*.sun.weather.com,O=The Weather Channel Interactive\,
Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate

CN= and O= are correct, so why is IPA refusing to use the certificate?
It appears to be expecting bogus data instead of using the provided
identity.  This doesnt appear to be an issue with the certificate,
although I have never installed FreeIPA with a Globalsign certificate. I
did nto see this problem with Network Solutions wildcard certificates
though.  Any suggestions would be appreciated.

This isn't related to the external CA, it just can't modify the
subject of the IPA CA, which it did in this case. I'm not even
entirely sure what it would mean to have the CA certificate itself be
a wildcard cert. Doesn't seem to be a valid use-case though.

Looks like this validation was added in in v3.



Jan Cholasta

Freeipa-users mailing list

Reply via email to