[Freeipa-users] Globalsign External CA Certificate Import Failure
Rob Crittenden
rcritten at redhat.com
Fri Jan 3 20:58:21 UTC 2014
James Scollard wrote:
> When attempting to run the second part of the installation with an
> external CA (Globalsign) using my signed certificate and CA certificate
> chain I get the following;
>
> [root at ldapm6x00 ~]# ipa-server-install
> --external_cert_file=/root/ldapm6x00.sun.weather.com.crt
> --external_ca_file=/root/sun.weather.com.crt
>
> The log file for this installation can be found in
> /var/log/ipaserver-install.log
> Directory Manager password:
>
> Subject of the external certificate is not correct (got
> CN=*.sun.weather.com,O=The Weather Channel Interactive\,
> Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate
> Authority,O=SUN.WEATHER.COM).
>
> CN= and O= are correct, so why is IPA refusing to use the certificate?
> It appears to be expecting bogus data instead of using the provided
> identity. This doesnt appear to be an issue with the certificate,
> although I have never installed FreeIPA with a Globalsign certificate. I
> did nto see this problem with Network Solutions wildcard certificates
> though. Any suggestions would be appreciated.
This isn't related to the external CA, it just can't modify the subject
of the IPA CA, which it did in this case. I'm not even entirely sure
what it would mean to have the CA certificate itself be a wildcard cert.
Doesn't seem to be a valid use-case though.
Looks like this validation was added in in v3.
rob
More information about the Freeipa-users
mailing list