Hello,

recently we renewed our CA crt. Later we noticed the new CA certificate
uses different encoding in Issuer and Subject:

subject=
    organizationName          = UTF8STRING:INTGDC.COM
    commonName                = UTF8STRING:Certificate Authority
issuer=
    organizationName          = PRINTABLESTRING:INTGDC.COM
    commonName                = PRINTABLESTRING:Certificate Authority

The former CA certificate is PRINTABLESTRING in both fields, as well as all
the older certs.

Since the renewal we have issues with trusting newly issued certificates,
which also have different encoding in subject and issuer.

What should be the default (correct) encoding for the certificates?

According to the: http://www.freeipa.org/page/Troubleshooting seems it
should be UTF8

but from the certmonger:
https://git.fedorahosted.org/cgit/certmonger.git/commit/?id=e6ecd5d8df3413a9717c57ee7fb8702ece23afd6

seems PRINTABLESTRING is used.

How to fix? Do we need to re-new the CA certificate once again?

Thank you
Jan Orel

We run:
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
certmonger-0.78.4-1.el7.x86_64
nuxwdog-1.0.3-4.el7_2.x86_64
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to