[Freeipa-users] Common Name for the ipa-cacert-manage command
Rob Crittenden
rcritten at redhat.com
Thu Apr 30 20:44:43 UTC 2015
William Graboyes wrote:
> Hi list,
>
> The end goal is to eliminate self signed certs from user interaction
> with FreeIPA, without having to roll out changes to each user in the
> house (and remote locations). So basically changing the CA to a
> trusted CA that will not bring "scare" the users with "Site security
> cannot be verified, return to safety."
>
> The problem with the CN is that when it is read from the CSR the
> CN="Certificate Authority". Which is not an acceptable CN according
> to the tool we use for generating certs, The tool we use expects a CN
> of something along the lines of example.com.
That sounds odd. The CN of a CA doesn't represent a machine or a
specific domain, it represents itself. Granted Certificate Authority
isn't all that unique a name either, but it's what we defaulted to, IIRC
based on the dogtag defaults.
Changing it might have other odd side-effects too as it's hardcoded in a
few other places. I'm not exactly sure what would break, if anything.
It sounds like your tool is issuing a server cert, not a CA cert. A
server cert traditionally has used cn=FQDN,<rest of subject>. That
doesn't really apply to a CA.
So it's changeable if you hack some installer code, but there be dragons.
rob
>
> Thanks,
> Bill
>
> On 4/21/15 2:55 PM, Rob Crittenden wrote:
>> William Graboyes wrote:
>>> Hi List,
>>>
>>> I am having yet another issue, when I run the following command:
>>> ipa-cacert-manage renew --external-ca
>>>
>>> It does output the CSR, however the CN is not a valid name
>>> (Certificate Authority). Is it possible to change the output of
>>> this command to use an external CA that requires a proper common
>>> name to be in the CSR?
>>>
>>> What I am trying to do is change from the internal self signed
>>> certs to an external CA signing system.
>>>
>
>> What isn't valid about the name?
>
>> This would make the IPA CA a subordinate of the external CA. Is
>> that what you want?
>
>> rob
>
>
>
More information about the Freeipa-users
mailing list