Anwar El fatayri wrote:
> *Hello everyone...*
> *
> *
> *I'm trying to request SSL Certificates from my machines (ex :
> vadqualif02) for a specific service (ex : Syslog-ng).*
> *
> *
> *I would like to distinguish  between my client and server certificates
> by changing the DN. The problem is that when I try to do that (see the
> command below), I'm still getting the default DN (CN=hostname).*
> *
> *
> *
> sudo ipa-getcert request -r -f
> /etc/pki/tls/certs/syslog-ng_vadqualif02.lbg.office.lyra.crt -k
> /etc/pki/tls/private/syslog-ng_vadqualif02.lbg.office.lyra.key -N
> OU=toto,CN=roro  -K SYSLOG-NG_CLIENT/vadqualif02.lbg.office.l...@office.lyra
> 
> Any ideas ? 

I'm surprised this isn't just being rejected instead.

IPA requires that the CN of the CSR match the host/service being
requested for. It will also drop anything other than CN and replace it
with the subject of the CA (usually O=EXAMPLE.COM).

There is no way around this.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to