[Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...
Zarko Dudic
zarko.dudic at oracle.com
Tue Aug 23 23:25:28 UTC 2016
On 8/16/2016 11:09 AM, Alexander Bokovoy wrote:
> On Tue, 16 Aug 2016, Zarko Dudic wrote:
>> Thanks Rob. This command creates the CSR.
>>
>> # ipa-server-install --subject
>> 'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca
>>
>> And verification with command :
>>
>> # openssl req -in /root/ipa.csr -noout -text
>>
>> ... shows "Subject: C=US, ST=California, L=Town, O=Corporation,
>> OU=CorpArch, CN=Certificate Authority"
>>
>> Since the CN is unconfigurable, how it's expected to be signed by 3rd
>> party external CA, they usually want to see FQDN.
> This is not a certificate signing request for a host-based certificate.
> This is a certificate signing request for a CA root certificate. It is
> unlikely that you will get it signed by a public CA because that
> signature basically makes your IPA CA a sub-CA.
>
Hi Alexander,
It makes sense what you say here, I was trying this because the doc
"Linux Domain Identity, Authentication, and Policy Guide" in the "
2.3.2. Determining What CA Configuration to Use" reads:
An external CA is the root CA
The Certificate System CA is subordinate to an external CA.
However, all certificates for the IdM domain are still issued by the
Certificate System instance.
The external CA can be a corporate CA or a third-party CA, such as
Verisign or Thawte.
The certificates issued within the IdM domain are potentially subject to
restrictions set by the external root CA for attributes like the
validity period.
> This is quite different from signing a server certificate.
>
> --external-ca option is provided to allow your IPA CA to be a sub-ca for
> a corporate CA. I don't know any publicly available CA that could
> actually sign it for you.
>
--
Thanks,
Zarko
More information about the Freeipa-users
mailing list