[Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install
Sebastian Hetze
shetze at redhat.com
Fri Jul 8 11:54:33 UTC 2016
On 07/08/2016 12:57 PM, Sebastian Hetze wrote:
>
>
> With your proposal, a subject would look like this:
> Subject: CN=Custom CA Name,E=caadmin at example.com,OU=Example IT,O=Example
> Corp,L=City,ST=State,C=US
>
> I will check with my customer if this can possibly be signed by the AD
> PKI, and if that works what the ordering looks like after signing.
As I expected, the AD PKI brings the whole subject line into canonical
order, resulting in that subject:
Subject: E=caadmin at example.com,CN=Custom CA Name,OU=Example IT,O=Example
Corp,L=City,ST=State,C=US
Since the ipa-server-install requires the subject of the signed cert to
match exactly the subject from the CSR, we need to construct the subject
line exactly as I do in my proposed patch.
And, as I said, the patch works with freeipa-4.2.0 as shipped with RHEL-7.2
Beste Grüße / Best regards
Sebastian Hetze
--
Senior Solution Architect
Red Hat GmbH. Niederlassung Berlin
Am Treptower Park 75 12435 Berlin
Tel: +49 30 678 1798-241 . Mobil: +49 173 8914205
Fax: +49 30 678 1798-111 . E-Mail: she at redhat.com
More information about the Freeipa-devel
mailing list