Re: [Freeipa-users] External cert with correct CSR?
On Tue, May 02, 2017 at 11:10:12AM -0500, Kat wrote: > Yeah, after I sent this email, I realized what I was trying to do and that, > "Oh wait, this is not really going to work." > Indeed. This feature is usually used to chain an IPA CA into an organisation's existing PKI, which is controlled by the organisation, thus they can add whatever they need to the cert regardless of what is/is not asserted by the CSR). Cheers, Fraser > For what it is worth - version on RHEL 7.3 - 4.4.0-14.el7_3.7 > > -K > > On 5/2/17 11:04 AM, Rob Crittenden wrote: > > Kat wrote: > > > Hi all, > > > > > > I am somewhat confused trying to get the process of using an external > > > cert for IPA. > > > > > > If I follow step 1: > > > ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM > > > --external-ca -U > > > > > > This does indeed generate a CSR, but trying to do anything with this CSR > > > has no success since it is not properly formed with all info. In > > > otherwords, ipa does not add country, state, location, etc. If I submit > > > this CSR to any cert company, it will of course, complain. Is there a > > > way to get this right? Or am I just missing something here? > > > > > What cert company are you trying to get to sign this? This is a CA cert, > > I don't know that any of the major ones will sign this, at least not > > without a huge check. > > > > What version of IPA? > > > > rob > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External cert with correct CSR?
Yeah, after I sent this email, I realized what I was trying to do and that, "Oh wait, this is not really going to work." For what it is worth - version on RHEL 7.3 - 4.4.0-14.el7_3.7 -K On 5/2/17 11:04 AM, Rob Crittenden wrote: Kat wrote: Hi all, I am somewhat confused trying to get the process of using an external cert for IPA. If I follow step 1: ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM --external-ca -U This does indeed generate a CSR, but trying to do anything with this CSR has no success since it is not properly formed with all info. In otherwords, ipa does not add country, state, location, etc. If I submit this CSR to any cert company, it will of course, complain. Is there a way to get this right? Or am I just missing something here? What cert company are you trying to get to sign this? This is a CA cert, I don't know that any of the major ones will sign this, at least not without a huge check. What version of IPA? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External cert with correct CSR?
Kat wrote: > Hi all, > > I am somewhat confused trying to get the process of using an external > cert for IPA. > > If I follow step 1: > ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM > --external-ca -U > > This does indeed generate a CSR, but trying to do anything with this CSR > has no success since it is not properly formed with all info. In > otherwords, ipa does not add country, state, location, etc. If I submit > this CSR to any cert company, it will of course, complain. Is there a > way to get this right? Or am I just missing something here? > What cert company are you trying to get to sign this? This is a CA cert, I don't know that any of the major ones will sign this, at least not without a huge check. What version of IPA? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] External cert with correct CSR?
Hi all, I am somewhat confused trying to get the process of using an external cert for IPA. If I follow step 1: ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM --external-ca -U This does indeed generate a CSR, but trying to do anything with this CSR has no success since it is not properly formed with all info. In otherwords, ipa does not add country, state, location, etc. If I submit this CSR to any cert company, it will of course, complain. Is there a way to get this right? Or am I just missing something here? Thanks K -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
