Hi evrybody, With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi and HP ILO certificates to my FreeIPA server. I create csr with the following command: "openssl req -new -sha256 -nodes -config openssl.cfg -newkey rsa:2048 -keyout esxi.key -out esxi.csr"
My OpenSSL configuration file contains the following informations: [ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:esxi, IP:X.X.X.X, DNS:esxi.example.com [ req_distinguished_name ] countryName = FR stateOrProvinceName = Province localityName = Town 0.organizationName = Corporate organizationalUnitName = IT Services commonName = esxi.example.com Then, I use the "cat" command to display the certificate signin request, I copy it and I paste into my FreeIPA. On my FreeIPA WebGui, I declare a host named esxi, I click on it, then on the "action" button and finally "New certificate". I select IPA for Certificate Authority, I use caIPAserviceCert profil ID, I paste the CSR and click. I get the following error message: Insufficient access : Subject alt name type IP Address is forbidden I need to keep IP Address in SAN. Is there a way to authorize IPA to sign my certificate? Many thanks. -- Cordialement/Best regards, Mikaël ANDRÉ Mobile : +33 6 28 71 19 89 Mail : mikael.andre.1...@gmail.com
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org