Thanks Rob. This command creates the CSR.

# ipa-server-install --subject 'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca

And verification with command :

# openssl req -in /root/ipa.csr -noout -text

... shows "Subject: C=US, ST=California, L=Town, O=Corporation, OU=CorpArch, CN=Certificate Authority"

Since the CN is unconfigurable, how it's expected to be signed by 3rd party external CA, they usually want to see FQDN.

Can you please provide more details (or ref URL) about "right CA extensions". Thanks in advance.

On 8/16/2016 9:04 AM, Rob Crittenden wrote:
Zarko Dudic wrote:

Hi all,

I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
External CA as the Root CA. Here are details.

1) Run "ipa-server-install --external-ca", and send .csr to be signed by
External CA, but VeriSign rejects signing this since info like
Organization, OU, L, ST, C are missing.

I seriously doubt Verisign will issue this certificate regardless of format. Don't confuse a CA signing certificate with a server certificate.

But who knows. Try the --subject-base option to ipa-server-install but note that the CN is currently unconfigurable, it will always be cn=Certificate Authority.

2) Okay, so I try this workaround, create cert request manually with

      # certutil -R -d /tmp -a -g 2048 -s

This will never work. Besides the fact that you didn't request a certificate with the right CA extensions, the private key that generated the CSR is now in a place that dogtag will never find it. This is unrelated to the error below but it would blow up eventually.

3) I verify request via
(looks good)

4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
via email.

5) I also download two additional certs for trust chain, one is
VeriSign's public primary root CA and the second one is Company's
itermediate CA, both (.pem files)

6) Now the problem begins, run the comamnd:

    # ipa-server-install --external-cert-file=/tmp/freeipa.cer
--external-cert-file=/tmp/VeriSign_Root_CA.pem -vv

If memory serves IPA knows what the subject of it's CA should look like (remember subject-base?) and it isn't finding it and blowing up.



Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to