Anwar El fatayri wrote:
> *Hello everyone...*
> *I'm trying to request SSL Certificates from my machines (ex :
> vadqualif02) for a specific service (ex : Syslog-ng).*
> *I would like to distinguish between my client and server certificates
> by changing the DN. The problem is that when I try to do that (see the
> command below), I'm still getting the default DN (CN=hostname).*
> sudo ipa-getcert request -r -f
> /etc/pki/tls/certs/syslog-ng_vadqualif02.lbg.office.lyra.crt -k
> /etc/pki/tls/private/syslog-ng_vadqualif02.lbg.office.lyra.key -N
> OU=toto,CN=roro -K SYSLOG-NG_CLIENT/vadqualif02.lbg.office.l...@office.lyra
> Any ideas ?
I'm surprised this isn't just being rejected instead.
IPA requires that the CN of the CSR match the host/service being
requested for. It will also drop anything other than CN and replace it
with the subject of the CA (usually O=EXAMPLE.COM).
There is no way around this.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project