[Freeipa-users] --external-ca is a bit confusing.
John Dennis
jdennis at redhat.com
Fri Feb 22 02:52:36 UTC 2013
On 02/21/2013 07:23 PM, Kendrick . wrote:
> It is part of my initial setup. I copied the ipa.csr in to cacert's
> signing system so that the certificates would be valid outside of my
> local domain. and it errors because the host information said
> certificate authority instead of the host name if I understand that
> error mesage properly.
>
> I am trying to get the csr to provide all the information needed by
> cacerts free signing service. I was expecting to be able to use the
> user certificates that freeipa makes to sign emails and such that would
> go externally.
The CA will only sign a cert for a domain registered to you. To see what
domain the CSR is for dump it's contents using openssl, for example:
openssl req -in ipa.csr -noout -text
Does the CN in the subject match the domain you registered with
cacert.org? If not it's not going to sign it.
But wait, there's more, you're not just asking cacert to sign a plain
cert you're asking it to sign a CA cert effectively creating a sub-CA of
cacert. That means with that cert you can issue new certs and cacert
will "vouch" for them, but of course they can't control who you're
issuing certs to which is a significant security issue. This FAQ entry
from cacert will help clarify:
http://wiki.cacert.org/SubRoot
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list