[Freeipa-users] other attributes on certificates issued by IPA CA
Stephen Ingram
sbingram at gmail.com
Sun Dec 18 00:17:19 UTC 2011
Looking at the logs when FreeIPA server is first setup, it is easy to
see that the only real information included for the CA besides the CN
is the organization which is set to the kerberos realm. I'm creating
some certificates manually to test out the various parts of a manual
client join. I notice that if I include more information such as MAIL,
L, ST, C, or, a Subject Alternate Name the certificate request is
denied by IPA with the error:
ipa: ERROR: invalid 'fqdn': must be Unicode text
Is this due to fact that the installation routine doesn't allow
additional attributes for the CA itself so the CA won't allow you to
include this information in the certificates, or some other issue? It
works perfectly when I only use
"CN=clientname.example.com,O=EXAMPLE.COM" for the subject of the
certificate.
Steve
More information about the Freeipa-users
mailing list