To sum up, our problem was we did not install new CA crt on all replicas,
which should be probably done using "ipa-certupdate", but we missed that in
the documentation.

Regarding the certificates encoding, we noticed that after the upgrade v3
-> v4 IPA issues certificates in UTF8STRING and as long as our CA crt was
still PRINTABLESTRING, it created miss-matched certificates. This could be
fixed by the CA crt renew.


2017-01-04 16:46 GMT+01:00 Jan Orel <>:

> Hello,
> recently we renewed our CA crt. Later we noticed the new CA certificate
> uses different encoding in Issuer and Subject:
> subject=
>     organizationName          = UTF8STRING:INTGDC.COM
>     commonName                = UTF8STRING:Certificate Authority
> issuer=
>     organizationName          = PRINTABLESTRING:INTGDC.COM
>     commonName                = PRINTABLESTRING:Certificate Authority
> The former CA certificate is PRINTABLESTRING in both fields, as well as
> all the older certs.
> Since the renewal we have issues with trusting newly issued certificates,
> which also have different encoding in subject and issuer.
> What should be the default (correct) encoding for the certificates?
> According to the: seems it
> should be UTF8
> but from the certmonger:
> certmonger.git/commit/?id=e6ecd5d8df3413a9717c57ee7fb8702ece23afd6
> seems PRINTABLESTRING is used.
> How to fix? Do we need to re-new the CA certificate once again?
> Thank you
> Jan Orel
> We run:
> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> certmonger-0.78.4-1.el7.x86_64
> nuxwdog-1.0.3-4.el7_2.x86_64
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to