[Freeipa-users] [freeipa 3.0.0] Changing the DN in the signing request
Rob Crittenden
rcritten at redhat.com
Mon Sep 8 14:08:22 UTC 2014
Anwar El fatayri wrote:
> *Hello everyone...*
> *
> *
> *I'm trying to request SSL Certificates from my machines (ex :
> vadqualif02) for a specific service (ex : Syslog-ng).*
> *
> *
> *I would like to distinguish between my client and server certificates
> by changing the DN. The problem is that when I try to do that (see the
> command below), I'm still getting the default DN (CN=hostname).*
> *
> *
> *
> sudo ipa-getcert request -r -f
> /etc/pki/tls/certs/syslog-ng_vadqualif02.lbg.office.lyra.crt -k
> /etc/pki/tls/private/syslog-ng_vadqualif02.lbg.office.lyra.key -N
> OU=toto,CN=roro -K SYSLOG-NG_CLIENT/vadqualif02.lbg.office.lyra at OFFICE.LYRA
>
> Any ideas ?
I'm surprised this isn't just being rejected instead.
IPA requires that the CN of the CSR match the host/service being
requested for. It will also drop anything other than CN and replace it
with the subject of the CA (usually O=EXAMPLE.COM).
There is no way around this.
rob
More information about the Freeipa-users
mailing list