Re: [Freeipa-users] change CA subject or "friendly name"?

[Jan Cholasta]

Hi,

On 12.4.2016 01:08, Fraser Tweedale wrote:

On Mon, Apr 11, 2016 at 11:43:17AM -0400, Anthony Clark wrote:

Hello All,

I'm in the process of deploying FreeIPA 4 in a development environment.
One of my testers has imported the ca.pem file into Windows, and indicates
that it displays as:

Issued to: Certificate Authority
Issued by: Certificate Authority
Friendly Name: 

This will unfortunately cause confusion among certain end users, so I was
wondering if there's a way to change those attributes?

Ideally without reinstalling everything, but thankfully we're still early
in the process so it's OK if do blow everything away.

Do I need to generate a new CA outside of FreeIPA and then use
ipa-cacert-manage to "renew" the base CA?

Thanks,

Anthony Clark


Hi Anthony,

After a brief investigation it appears that ``Friendly Name'' is a
property that can be set in a Windows certificate store, and is not
part of, or derived from, the certificate itself.

Here are a couple of TechNet articles that might help:

- https://technet.microsoft.com/en-us/library/cc740218%28v=ws.10%29.aspx
- 
https://blogs.technet.microsoft.com/pki/2008/12/12/defining-the-friendly-name-certificate-property/


As for "Issued to" and "Issued by", I guess these are derived from the 
subject and issuer name fields of the certificate, which currently can't 
be changed for our CA certificate.


We have a ticket to fix this for quite some time: 
.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] change CA subject or "friendly name"?

[Fraser Tweedale]

On Mon, Apr 11, 2016 at 11:43:17AM -0400, Anthony Clark wrote:
> Hello All,
> 
> I'm in the process of deploying FreeIPA 4 in a development environment.
> One of my testers has imported the ca.pem file into Windows, and indicates
> that it displays as:
> 
> Issued to: Certificate Authority
> Issued by: Certificate Authority
> Friendly Name: 
> 
> This will unfortunately cause confusion among certain end users, so I was
> wondering if there's a way to change those attributes?
> 
> Ideally without reinstalling everything, but thankfully we're still early
> in the process so it's OK if do blow everything away.
> 
> Do I need to generate a new CA outside of FreeIPA and then use
> ipa-cacert-manage to "renew" the base CA?
> 
> Thanks,
> 
> Anthony Clark

Hi Anthony,

After a brief investigation it appears that ``Friendly Name'' is a
property that can be set in a Windows certificate store, and is not
part of, or derived from, the certificate itself.

Here are a couple of TechNet articles that might help:

- https://technet.microsoft.com/en-us/library/cc740218%28v=ws.10%29.aspx
- 
https://blogs.technet.microsoft.com/pki/2008/12/12/defining-the-friendly-name-certificate-property/

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project