[Freeipa-users] freeipa 4.2.0 ipa-cacert-manage not generating CSR with CA:True for chaining
Frank Li
frli at paloaltonetworks.com
Mon Oct 31 07:46:16 UTC 2016
we currently have a IPA 4.2 servers working with a self-signed CA certificate with the REALM of xyz.local
I’m trying chain our xyz.local CA cert with IT’s abc.local CA cert so that users on corp laptop(with the abc.local cert already in CA chain) would trust
the xyz.local CA cert and not get the SSL cert warning when visiting sites with certs issued by the IPA installation.
I followed the step in freeipa documentation and ran:
ipa-cacert-manage renew --external-ca
it generated the ca.scr, but the CA attribute was set to False:
[root at xyz ipa]# openssl req -in ca.csr -noout -text | grep -B 2 X509
friendlyName :unable to print attribute
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:FALSE
Please let me know how to generate the CSR so that CA is set to True, or do I need to manually modify the CSR to make it True ?
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161031/07caee37/attachment.htm>
More information about the Freeipa-users
mailing list