[Freeipa-users] External CA
John Dennis
jdennis at redhat.com
Fri Nov 8 13:53:37 UTC 2013
On 11/08/2013 04:56 AM, Petr Viktorin wrote:
> On 11/08/2013 09:01 AM, Martin Kosek wrote:
>> Thanks for heads up. You mean by the difference between "O=MW" and
>> "O=MELTWATER.COM"?
>> Petr, is this possible? Can it be validated in the the installer if this is the
>> root cause?
Thats a good question. Typically with cert validation only the CN
component in the subject is cross checked. More aggressive validators
are free to examine all RDN's in the subject (not sure what the PKIX
behavior is with respect other RDN's). Of course this isn't cert
validation but validating a CSR is closely related. The first place I
would look is the Dogtag policy.
> It is possible. It's hard to tell without the logs; looks like the
> failure was inside Dogtag. There may be more issues; for instance I
> don't think we considered PEM files with extra data before the BEGIN
> CERTIFICATE.
> I filed a ticket to investigate:
> https://fedorahosted.org/freeipa/ticket/4019
FWIW I've authored a set of Python utilities to work with pem files for
OpenStack. They work just fine with PEM blocks embedded with non-PEM
text. I was thinking the utilities would also be useful in FreeIPA (in
fact my experience in IPA is what guided the development of these
utilities. I'll try to get them up in a git repo shortly and send a pointer.
--
John
More information about the Freeipa-users
mailing list