[Freeipa-users] other attributes on certificates issued by IPA CA
Rob Crittenden
rcritten at redhat.com
Mon Dec 19 14:04:17 UTC 2011
Stephen Ingram wrote:
> Looking at the logs when FreeIPA server is first setup, it is easy to
> see that the only real information included for the CA besides the CN
> is the organization which is set to the kerberos realm. I'm creating
> some certificates manually to test out the various parts of a manual
> client join. I notice that if I include more information such as MAIL,
> L, ST, C, or, a Subject Alternate Name the certificate request is
> denied by IPA with the error:
>
> ipa: ERROR: invalid 'fqdn': must be Unicode text
>
> Is this due to fact that the installation routine doesn't allow
> additional attributes for the CA itself so the CA won't allow you to
> include this information in the certificates, or some other issue? It
> works perfectly when I only use
> "CN=clientname.example.com,O=EXAMPLE.COM" for the subject of the
> certificate.
>
> Steve
Well, that isn't the right error message. It should be complaining that
the subject doesn't match.
You can't include extra subject information. With a dogtag CA install it
will all be silently dropped. A selfsign CA install does validation to
ensure it matches the subject.
The subject base is configurable only at install time.
rob
More information about the Freeipa-users
mailing list