[Freeipa-users] Globalsign External CA Certificate Import Failure
James Scollard
james.scollard at weather.com
Fri Jan 3 21:13:04 UTC 2014
Thanks for the reply,
Version:
Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest
version...
I'm not sure I understand the answer.
I created the CSR and they signed it using their automation, and
returned the new ones to me for installation, which failed.
SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=.
The node itself is xxxxx.sun.weather.com, we have a wildcard certificate
for sun.weather.com, and this domain controller needs the certificate
for the domain for setup to complete.
What am I doing wrong here?
On 1/3/14 3:58 PM, Rob Crittenden wrote:
> James Scollard wrote:
>> When attempting to run the second part of the installation with an
>> external CA (Globalsign) using my signed certificate and CA certificate
>> chain I get the following;
>>
>> [root at ldapm6x00 ~]# ipa-server-install
>> --external_cert_file=/root/ldapm6x00.sun.weather.com.crt
>> --external_ca_file=/root/sun.weather.com.crt
>>
>> The log file for this installation can be found in
>> /var/log/ipaserver-install.log
>> Directory Manager password:
>>
>> Subject of the external certificate is not correct (got
>> CN=*.sun.weather.com,O=The Weather Channel Interactive\,
>> Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate
>> Authority,O=SUN.WEATHER.COM).
>>
>> CN= and O= are correct, so why is IPA refusing to use the certificate?
>> It appears to be expecting bogus data instead of using the provided
>> identity. This doesnt appear to be an issue with the certificate,
>> although I have never installed FreeIPA with a Globalsign certificate. I
>> did nto see this problem with Network Solutions wildcard certificates
>> though. Any suggestions would be appreciated.
>
> This isn't related to the external CA, it just can't modify the
> subject of the IPA CA, which it did in this case. I'm not even
> entirely sure what it would mean to have the CA certificate itself be
> a wildcard cert. Doesn't seem to be a valid use-case though.
>
> Looks like this validation was added in in v3.
>
> rob
>
--
James E. Scollard III
Senior Cloud Systems Architect
c: 615.730.4387
www.weather.com
View my profile on LinkedIn
More information about the Freeipa-users
mailing list