[Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 16 18:09:13 UTC 2016
On Tue, 16 Aug 2016, Zarko Dudic wrote:
>Thanks Rob. This command creates the CSR.
>
># ipa-server-install --subject
>'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca
>
>And verification with command :
>
># openssl req -in /root/ipa.csr -noout -text
>
>... shows "Subject: C=US, ST=California, L=Town, O=Corporation,
>OU=CorpArch, CN=Certificate Authority"
>
>Since the CN is unconfigurable, how it's expected to be signed by 3rd
>party external CA, they usually want to see FQDN.
This is not a certificate signing request for a host-based certificate.
This is a certificate signing request for a CA root certificate. It is
unlikely that you will get it signed by a public CA because that
signature basically makes your IPA CA a sub-CA.
This is quite different from signing a server certificate.
--external-ca option is provided to allow your IPA CA to be a sub-ca for
a corporate CA. I don't know any publicly available CA that could
actually sign it for you.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list