we currently have a IPA 4.2 servers working with a self-signed CA certificate
with the REALM of xyz.local
I’m trying chain our xyz.local CA cert with IT’s abc.local CA cert so that
users on corp laptop(with the abc.local cert already in CA chain) would trust
the xyz.local CA cert and not get the SSL cert warning when visiting sites with
certs issued by the IPA installation.
I followed the step in freeipa documentation and ran:
ipa-cacert-manage renew --external-ca
it generated the ca.scr, but the CA attribute was set to False:
[root@xyz ipa]# openssl req -in ca.csr -noout -text | grep -B 2 X509
friendlyName :unable to print attribute
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:FALSE
Please let me know how to generate the CSR so that CA is set to True, or do I
need to manually modify the CSR to make it True ?
Thanks.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
