On 8/16/2016 11:09 AM, Alexander Bokovoy wrote:
On Tue, 16 Aug 2016, Zarko Dudic wrote:
Thanks Rob. This command creates the CSR.

# ipa-server-install --subject 'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca

And verification with command :

# openssl req -in /root/ipa.csr -noout -text

... shows "Subject: C=US, ST=California, L=Town, O=Corporation, OU=CorpArch, CN=Certificate Authority"

Since the CN is unconfigurable, how it's expected to be signed by 3rd party external CA, they usually want to see FQDN.
This is not a certificate signing request for a host-based certificate.
This is a certificate signing request for a CA root certificate. It is
unlikely that you will get it signed by a public CA because that
signature basically makes your IPA CA a sub-CA.

Hi Alexander,
It makes sense what you say here, I was trying this because the doc "Linux Domain Identity, Authentication, and Policy Guide" in the " 2.3.2. Determining What CA Configuration to Use" reads:

An external CA is the root CA

The Certificate System CA is subordinate to an external CA.
However, all certificates for the IdM domain are still issued by the Certificate System instance. The external CA can be a corporate CA or a third-party CA, such as Verisign or Thawte. The certificates issued within the IdM domain are potentially subject to restrictions set by the external root CA for attributes like the validity period.

This is quite different from signing a server certificate.

--external-ca option is provided to allow your IPA CA to be a sub-ca for
a corporate CA. I don't know any publicly available CA that could
actually sign it for you.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to