Thanks Rob. This command creates the CSR.
# ipa-server-install --subject
And verification with command :
# openssl req -in /root/ipa.csr -noout -text
... shows "Subject: C=US, ST=California, L=Town, O=Corporation,
OU=CorpArch, CN=Certificate Authority"
Since the CN is unconfigurable, how it's expected to be signed by 3rd
party external CA, they usually want to see FQDN.
Can you please provide more details (or ref URL) about "right CA
extensions". Thanks in advance.
On 8/16/2016 9:04 AM, Rob Crittenden wrote:
Zarko Dudic wrote:
I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
External CA as the Root CA. Here are details.
1) Run "ipa-server-install --external-ca", and send .csr to be signed by
External CA, but VeriSign rejects signing this since info like
Organization, OU, L, ST, C are missing.
I seriously doubt Verisign will issue this certificate regardless of
format. Don't confuse a CA signing certificate with a server certificate.
But who knows. Try the --subject-base option to ipa-server-install but
note that the CN is currently unconfigurable, it will always be
2) Okay, so I try this workaround, create cert request manually with
# certutil -R -d /tmp -a -g 2048 -s
This will never work. Besides the fact that you didn't request a
certificate with the right CA extensions, the private key that
generated the CSR is now in a place that dogtag will never find it.
This is unrelated to the error below but it would blow up eventually.
3) I verify request via
4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
5) I also download two additional certs for trust chain, one is
VeriSign's public primary root CA and the second one is Company's
itermediate CA, both (.pem files)
6) Now the problem begins, run the comamnd:
# ipa-server-install --external-cert-file=/tmp/freeipa.cer
If memory serves IPA knows what the subject of it's CA should look
like (remember subject-base?) and it isn't finding it and blowing up.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project