On 8/16/2016 11:09 AM, Alexander Bokovoy wrote:
On Tue, 16 Aug 2016, Zarko Dudic wrote:
Thanks Rob. This command creates the CSR.
# ipa-server-install --subject
And verification with command :
# openssl req -in /root/ipa.csr -noout -text
... shows "Subject: C=US, ST=California, L=Town, O=Corporation,
OU=CorpArch, CN=Certificate Authority"
Since the CN is unconfigurable, how it's expected to be signed by 3rd
party external CA, they usually want to see FQDN.
This is not a certificate signing request for a host-based certificate.
This is a certificate signing request for a CA root certificate. It is
unlikely that you will get it signed by a public CA because that
signature basically makes your IPA CA a sub-CA.
It makes sense what you say here, I was trying this because the doc
"Linux Domain Identity, Authentication, and Policy Guide" in the "
2.3.2. Determining What CA Configuration to Use" reads:
An external CA is the root CA
The Certificate System CA is subordinate to an external CA.
However, all certificates for the IdM domain are still issued by the
Certificate System instance.
The external CA can be a corporate CA or a third-party CA, such as
Verisign or Thawte.
The certificates issued within the IdM domain are potentially subject to
restrictions set by the external root CA for attributes like the
This is quite different from signing a server certificate.
--external-ca option is provided to allow your IPA CA to be a sub-ca for
a corporate CA. I don't know any publicly available CA that could
actually sign it for you.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project