subject:"Re\: \[Freeipa\-users\] \-\-external\-ca is a bit confusing."

Re: [Freeipa-users] --external-ca is a bit confusing.

2013-02-21 Thread John Dennis


On 02/21/2013 07:23 PM, Kendrick . wrote:

It is part of my initial setup.  I copied the ipa.csr in to cacert's
signing system so that the certificates would be valid outside of my
local domain.  and it errors because the host information said
certificate authority instead of the host name if I understand that
error mesage properly.

I am trying to get the csr to provide all the information needed by
cacerts free signing service.  I was expecting to be able to use the
user certificates that freeipa makes to sign emails and such that would
go externally.



The CA will only sign a cert for a domain registered to you. To see what 
domain the CSR is for dump it's contents using openssl, for example:


openssl req -in ipa.csr -noout -text

Does the CN in the subject match the domain you registered with 
cacert.org? If not it's not going to sign it.


But wait, there's more, you're not just asking cacert to sign a plain 
cert you're asking it to sign a CA cert effectively creating a sub-CA of 
cacert. That means with that cert you can issue new certs and cacert 
will "vouch" for them, but of course they can't control who you're 
issuing certs to which is a significant security issue. This FAQ entry 
from cacert will help clarify:


http://wiki.cacert.org/SubRoot

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] --external-ca is a bit confusing.

2013-02-21 Thread Kendrick .

It is part of my initial setup.  I copied the ipa.csr in to cacert's
signing system so that the certificates would be valid outside of my local
domain.  and it errors because the host information said certificate
authority instead of the host name if I understand that error mesage
properly.

I am trying to get the csr to provide all the information needed by cacerts
free signing service.  I was expecting to be able to use the user
certificates that freeipa makes to sign emails and such that would go
externally.





   -
   - *From*: Dmitri Pal 
   - *To*: freeipa-users redhat com
   - *Subject*: Re: [Freeipa-users] --external-ca is a bit confusing.
   - *Date*: Thu, 21 Feb 2013 03:30:45 -0500

--
 On 02/20/2013 10:20 PM, Kendrick . wrote:

I am trying to get cacert to sign the csr.  I have tried searching about it
and cant figure out what is what.  some information i have found suggests
it wont be possible.

when I go to get the csr signed i get

"The following hostnames were rejected because the system couldn't link
them to your account, if they are valid please verify the domains against
your account.
Rejected: Certificate
Authority<https://www.cacert.org/account.php?id=7&newdomain=Certificate%20Authority>"


I would prefer my certificates to be valid on the internet as some of the
user certs would be used to sign emails and such.  any advice would be
appriciated.


___
Freeipa-users mailing listFreeipa-users redhat
comhttps://www.redhat.com/mailman/listinfo/freeipa-users


Can you please be more specific about what you are doing?
The linking to the external CA is one time operation during the initial
installation.
If you want to use the IPA as a subordinate CA you need to specify a flag
during installation (it seems that you are doing that based on the comments
above). The installation will stop indicating that you need to take CSR and
sign by the external CA. So you should take the CSR and sign. Then you
present the result back to IPA and continue the installation.

Based on the description above it is not clear which step is failing.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] --external-ca is a bit confusing.

2013-02-21 Thread Dmitri Pal

On 02/20/2013 10:20 PM, Kendrick . wrote:
> I am trying to get cacert to sign the csr.  I have tried searching
> about it and cant figure out what is what.  some information i have
> found suggests it wont be possible. 
>
> when I go to get the csr signed i get
>
> "The following hostnames were rejected because the system couldn't
> link them to your account, if they are valid please verify the domains
> against your account.
> Rejected: Certificate Authority
> "  
>  
>
>
> I would prefer my certificates to be valid on the internet as some of
> the user certs would be used to sign emails and such.  any advice
> would be appriciated.
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Can you please be more specific about what you are doing?
The linking to the external CA is one time operation during the initial
installation.
If you want to use the IPA as a subordinate CA you need to specify a
flag during installation (it seems that you are doing that based on the
comments above). The installation will stop indicating that you need to
take CSR and sign by the external CA. So you should take the CSR and
sign. Then you present the result back to IPA and continue the installation.

Based on the description above it is not clear which step is failing. 

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] --external-ca is a bit confusing.

Re: [Freeipa-users] --external-ca is a bit confusing.

Re: [Freeipa-users] --external-ca is a bit confusing.

3 matches

Site Navigation

Mail list logo

Footer information