On Fri, Mar 10, 2017 at 01:16:42PM +0100, Harald Dunkel wrote:
> Hi folks,
> 
> I stumbled over this problem:
> 
> http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html
> 
> The details don't really matter. The important point is that
> the root certificate used to sign freeipa's certificate
> appears to be unacceptable on openBSD and maybe others.
> 
> What would you suggest? Is there a guideline to migrate
> freeipa to a new certificate authority?
> 
> 
> Every helpful comment is highly appreciated
> Harri
>
The issue in that thread was resolved.  It was caused by invalid
encoding of the notAfter field.  I think OpenBSD uses LibreSSL in
their base system - and I guess it adheres more strictly to RFC 5280
than other implementations.

As for migrating to a new CA (or merely installing a newer
certificate for the original CA, with correct encoding), you can do
it via ipa-cacert-mangage(1).

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to