On Tue, 16 Aug 2016, Zarko Dudic wrote:
Thanks Rob. This command creates the CSR.
# ipa-server-install --subject
And verification with command :
# openssl req -in /root/ipa.csr -noout -text
... shows "Subject: C=US, ST=California, L=Town, O=Corporation,
OU=CorpArch, CN=Certificate Authority"
Since the CN is unconfigurable, how it's expected to be signed by 3rd
party external CA, they usually want to see FQDN.
This is not a certificate signing request for a host-based certificate.
This is a certificate signing request for a CA root certificate. It is
unlikely that you will get it signed by a public CA because that
signature basically makes your IPA CA a sub-CA.
This is quite different from signing a server certificate.
--external-ca option is provided to allow your IPA CA to be a sub-ca for
a corporate CA. I don't know any publicly available CA that could
actually sign it for you.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project