[Freeipa-users] change CA subject or "friendly name"?
Jan Cholasta
jcholast at redhat.com
Tue Apr 19 05:41:56 UTC 2016
Hi,
On 12.4.2016 01:08, Fraser Tweedale wrote:
> On Mon, Apr 11, 2016 at 11:43:17AM -0400, Anthony Clark wrote:
>> Hello All,
>>
>> I'm in the process of deploying FreeIPA 4 in a development environment.
>> One of my testers has imported the ca.pem file into Windows, and indicates
>> that it displays as:
>>
>> Issued to: Certificate Authority
>> Issued by: Certificate Authority
>> Friendly Name: <None>
>>
>> This will unfortunately cause confusion among certain end users, so I was
>> wondering if there's a way to change those attributes?
>>
>> Ideally without reinstalling everything, but thankfully we're still early
>> in the process so it's OK if do blow everything away.
>>
>> Do I need to generate a new CA outside of FreeIPA and then use
>> ipa-cacert-manage to "renew" the base CA?
>>
>> Thanks,
>>
>> Anthony Clark
>
> Hi Anthony,
>
> After a brief investigation it appears that ``Friendly Name'' is a
> property that can be set in a Windows certificate store, and is not
> part of, or derived from, the certificate itself.
>
> Here are a couple of TechNet articles that might help:
>
> - https://technet.microsoft.com/en-us/library/cc740218%28v=ws.10%29.aspx
> - https://blogs.technet.microsoft.com/pki/2008/12/12/defining-the-friendly-name-certificate-property/
As for "Issued to" and "Issued by", I guess these are derived from the
subject and issuer name fields of the certificate, which currently can't
be changed for our CA certificate.
We have a ticket to fix this for quite some time:
<https://fedorahosted.org/freeipa/ticket/2614>.
--
Jan Cholasta
More information about the Freeipa-users
mailing list