[Freeipa-users] Common Name for the ipa-cacert-manage command

Dmitri Pal dpal at redhat.com
Thu Apr 30 21:45:45 UTC 2015 

On 04/30/2015 04:50 PM, William Graboyes wrote:
> Let me ask this a different way.
>
> What is the easiest method of using a trusted third party cert for the web UI?

Make IPA CA-less with just certs from that 3rd party CA installed or 
make IPA trust that CA and be a sub CA.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#install-ca-options

>
> Running IPA 4.1.0 on Centos 7.
>
> Thanks,
> Bill
> On 4/30/15 1:44 PM, Rob Crittenden wrote:
>> William Graboyes wrote:
>>> Hi list,
>>>
>>> The end goal is to eliminate self signed certs from user interaction
>>> with FreeIPA, without having to roll out changes to each user in the
>>> house (and remote locations).  So basically changing the CA to a
>>> trusted CA that will not bring "scare" the users with "Site security
>>> cannot be verified, return to safety."
>>>
>>> The problem with the CN is that when it is read from the CSR the
>>> CN="Certificate Authority".  Which is not an acceptable CN according
>>> to the tool we use for generating certs, The tool we use expects a CN
>>> of something along the lines of example.com.
>> That sounds odd. The CN of a CA doesn't represent a machine or a
>> specific domain, it represents itself. Granted Certificate Authority
>> isn't all that unique a name either, but it's what we defaulted to, IIRC
>> based on the dogtag defaults.
>>
>> Changing it might have other odd side-effects too as it's hardcoded in a
>> few other places. I'm not exactly sure what would break, if anything.
>>
>> It sounds like your tool is issuing a server cert, not a CA cert. A
>> server cert traditionally has used cn=FQDN,<rest of subject>. That
>> doesn't really apply to a CA.
>>
>> So it's changeable if you hack some installer code, but there be dragons.
>>
>> rob
>>> Thanks,
>>> Bill
>>>
>>> On 4/21/15 2:55 PM, Rob Crittenden wrote:
>>>> William Graboyes wrote:
>>>>> Hi List,
>>>>>
>>>>> I am having yet another issue, when I run the following command:
>>>>> ipa-cacert-manage renew --external-ca
>>>>>
>>>>> It does output the CSR, however the CN is not a valid name
>>>>> (Certificate Authority).  Is it possible to change the output of
>>>>> this command to use an external CA that requires a proper common
>>>>> name to be in the CSR?
>>>>>
>>>>> What I am trying to do is change from the internal self signed
>>>>> certs to an external CA signing system.
>>>>>
>>>> What isn't valid about the name?
>>>> This would make the IPA CA a subordinate of the external CA. Is
>>>> that what you want?
>>>> rob
>>>
>>>


-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list