-----BEGIN PGP SIGNED MESSAGE-----
The end goal is to eliminate self signed certs from user interaction
with FreeIPA, without having to roll out changes to each user in the
house (and remote locations). So basically changing the CA to a
trusted CA that will not bring "scare" the users with "Site security
cannot be verified, return to safety."
The problem with the CN is that when it is read from the CSR the
CN="Certificate Authority". Which is not an acceptable CN according
to the tool we use for generating certs, The tool we use expects a CN
of something along the lines of example.com.
On 4/21/15 2:55 PM, Rob Crittenden wrote:
> William Graboyes wrote:
>> Hi List,
>> I am having yet another issue, when I run the following command:
>> ipa-cacert-manage renew --external-ca
>> It does output the CSR, however the CN is not a valid name
>> (Certificate Authority). Is it possible to change the output of
>> this command to use an external CA that requires a proper common
>> name to be in the CSR?
>> What I am trying to do is change from the internal self signed
>> certs to an external CA signing system.
> What isn't valid about the name?
> This would make the IPA CA a subordinate of the external CA. Is
> that what you want?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
-----END PGP SIGNATURE-----
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project