[Freeipa-users] can't specify DNS name or subject in cert request in FreeIPA 3.3
Martin Kosek
mkosek at redhat.com
Fri Mar 27 11:42:40 UTC 2015
You are doing it correctly. However, the DNS SubjectAltName only works with
FreeIPA 4.0+. The CA profile before this version does not allow them.
This is the upstream ticket:
https://fedorahosted.org/freeipa/ticket/3977
On 03/26/2015 07:09 PM, Steve Neuharth wrote:
> I'm trying to specify a subject name in a cert request like this:
>
> ipa-getcert request -K HTTP/web.test.org -N *cn=www.test.org
> <http://www.test.org>,o=TEST.ORG <http://TEST.ORG>* -f /tmp/webserver.crt
> -k /tmp/webprivate.key -r
>
> or like this
>
> ipa-getcert request -K HTTP/web.test.org -D www.test.org -f
> /tmp/webserver.crt -k /tmp/webprivate.key -r
>
> The resulting certificate, however, just has the hostname of the server
> like this:
>
> Request ID '20150326060555':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/tmp/webprivate.key'
> certificate: type=FILE,location='/tmp/webserver.crt'
> CA: IPA
> issuer: CN=Certificate Authority,O=TEST.ORG
> subject: *CN=web.test.org <http://web.test.org>,O=TEST.ORG
> <http://TEST.ORG>*
> expires: 2017-03-26 05:46:29 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> Is this a bug or am I doing something wrong in certmonger?
>
> --steve
>
>
>
More information about the Freeipa-users
mailing list