[Freeipa-users] Installation issues with sub-ca.

[John Dennis]

On 11/14/2013 03:29 AM, Andrea Bontempi wrote:
> I did some tests: The error occurs when I use a CA managed by EJBCA,
> if I use a CA generated by openssl or nss everything works properly.
> 
> The problem is that i can't reproduce the bug in an external nss
> db... but maybe I don't follow the same steps that uses the
> installation script.

Do we have a copy of the sub-CA cert and the CA cert which we can
examine? There are a variety of rules (primarially in the cert
extentions) which can cause validation failure if the extensions are not
as expected. My guess is you've got something specified in the
extensions which is unanticiapated or incorrect.


-- 
John