To sum up, our problem was we did not install new CA crt on all replicas,
which should be probably done using "ipa-certupdate", but we missed that in
Regarding the certificates encoding, we noticed that after the upgrade v3
-> v4 IPA issues certificates in UTF8STRING and as long as our CA crt was
still PRINTABLESTRING, it created miss-matched certificates. This could be
fixed by the CA crt renew.
2017-01-04 16:46 GMT+01:00 Jan Orel <jano...@gmail.com>:
> recently we renewed our CA crt. Later we noticed the new CA certificate
> uses different encoding in Issuer and Subject:
> organizationName = UTF8STRING:INTGDC.COM
> commonName = UTF8STRING:Certificate Authority
> organizationName = PRINTABLESTRING:INTGDC.COM
> commonName = PRINTABLESTRING:Certificate Authority
> The former CA certificate is PRINTABLESTRING in both fields, as well as
> all the older certs.
> Since the renewal we have issues with trusting newly issued certificates,
> which also have different encoding in subject and issuer.
> What should be the default (correct) encoding for the certificates?
> According to the: http://www.freeipa.org/page/Troubleshooting seems it
> should be UTF8
> but from the certmonger: https://git.fedorahosted.org/cgit/
> seems PRINTABLESTRING is used.
> How to fix? Do we need to re-new the CA certificate once again?
> Thank you
> Jan Orel
> We run:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project