we currently have a IPA 4.2 servers working with a self-signed CA certificate 
with the REALM of xyz.local

I’m trying chain our xyz.local CA cert with IT’s abc.local CA cert so that 
users on corp laptop(with the abc.local cert already in CA chain) would trust
the xyz.local CA cert and not get the SSL cert warning when visiting sites with 
certs issued by the IPA installation.

I followed the step in freeipa documentation and ran:
ipa-cacert-manage renew --external-ca
it generated the ca.scr, but the CA attribute was set to False:

[root@xyz ipa]# openssl req -in ca.csr -noout -text | grep -B 2 X509
            friendlyName             :unable to print attribute
        Requested Extensions:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical

Please let  me know how to generate the CSR so that CA is set to True, or do I 
need to manually modify the CSR to make it True ?

Efficiency is Intelligent Laziness

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to