On Tue, 16 Aug 2016, Zarko Dudic wrote:
Thanks Rob. This command creates the CSR.
# ipa-server-install --subject
'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca
And verification with command :
# openssl req -in /root/ipa.csr -noout -text
... shows "Subject: C=US, ST=California, L=Town, O=Corporation,
OU=CorpArch, CN=Certificate Authority"
Since the CN is unconfigurable, how it's expected to be signed by 3rd
party external CA, they usually want to see FQDN.
This is not a certificate signing request for a host-based certificate.
This is a certificate signing request for a CA root certificate. It is
unlikely that you will get it signed by a public CA because that
signature basically makes your IPA CA a sub-CA.
This is quite different from signing a server certificate.
--external-ca option is provided to allow your IPA CA to be a sub-ca for
a corporate CA. I don't know any publicly available CA that could
actually sign it for you.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
