-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi list,

The end goal is to eliminate self signed certs from user interaction
with FreeIPA, without having to roll out changes to each user in the
house (and remote locations).  So basically changing the CA to a
trusted CA that will not bring "scare" the users with "Site security
cannot be verified, return to safety."

The problem with the CN is that when it is read from the CSR the
CN="Certificate Authority".  Which is not an acceptable CN according
to the tool we use for generating certs, The tool we use expects a CN
of something along the lines of example.com.

Thanks,
Bill

On 4/21/15 2:55 PM, Rob Crittenden wrote:
> William Graboyes wrote:
>> Hi List,
>> 
>> I am having yet another issue, when I run the following command: 
>> ipa-cacert-manage renew --external-ca
>> 
>> It does output the CSR, however the CN is not a valid name 
>> (Certificate Authority).  Is it possible to change the output of
>> this command to use an external CA that requires a proper common
>> name to be in the CSR?
>> 
>> What I am trying to do is change from the internal self signed
>> certs to an external CA signing system.
>> 
> 
> What isn't valid about the name?
> 
> This would make the IPA CA a subordinate of the external CA. Is
> that what you want?
> 
> rob
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJVQofVAAoJEJFMz73A1+zrIysP+QFRo04UdfWhJxfWSkkG+0Ig
1kMqQuTN3/ee4AQ/g6rqMUhCPbWTh5MeM2vMf346hrEyq1m/1EpCflj3OfF0Rk6u
S5k4rJBatglaGBWwjp1bufgLBrFveLNrVVDBE4tAb4+Ss8sQbT+2rgdVKuyNiVU0
msPGpNDh9XaL5neXbzUyo2sJ1tVV0ltwI6St58dF1EhqwVSTm62+tkpixoMez2FX
JEuSvOQMk0k29Sox3kNW4SQB+/lkv3IveEe/gow0PoRQNom9jsR04tjFJn7rB8mo
T0BrKB0jVbvjqwzhB8OHzijmnQZG4Jg2y10uxju+6wKTWibMZh9XT67K53zwE4Cg
jNRuRf1Ukei/R8e4HggICKLlFdSjb/aBSQESNhwdCosUlT6XGrZVNjNz3TRQaAtM
E4eYny9kdcAfOBaafMjViPJPxJf+98X9x3VbIxdKmSOZzi9rSelZetuK7w9hpn7q
rJxHyy363PhzwDfEmBfbnXE2nmVWVYONwb8KI0E66fCs2ilH9ElqwG/eBpFDxI5M
e10d50QrCHn2UkNbHAV6sQVgIYeGoJT34dAT6jRqUvF02tH1bcIWakqZrjgyw0wh
4VBpKnh3jmDC+sKv++7AeAccxqY73Y83lhy00xuXckiLDoS3d1CLlpQtpWl9cFrp
URRCyh9IDBo6sgMrm2Sn
=vz3J
-----END PGP SIGNATURE-----

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to