On Tue, 16 Aug 2016, Zarko Dudic wrote:
Thanks Rob. This command creates the CSR.

# ipa-server-install --subject 'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca

And verification with command :

# openssl req -in /root/ipa.csr -noout -text

... shows "Subject: C=US, ST=California, L=Town, O=Corporation, OU=CorpArch, CN=Certificate Authority"

Since the CN is unconfigurable, how it's expected to be signed by 3rd party external CA, they usually want to see FQDN.
This is not a certificate signing request for a host-based certificate.
This is a certificate signing request for a CA root certificate. It is
unlikely that you will get it signed by a public CA because that
signature basically makes your IPA CA a sub-CA.

This is quite different from signing a server certificate.

--external-ca option is provided to allow your IPA CA to be a sub-ca for
a corporate CA. I don't know any publicly available CA that could
actually sign it for you.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to