[Freeipa-users] CA crt renew -- encoding mismatch
Jan Orel
janorel at gmail.com
Wed Jan 11 17:11:42 UTC 2017
To sum up, our problem was we did not install new CA crt on all replicas,
which should be probably done using "ipa-certupdate", but we missed that in
the documentation.
Regarding the certificates encoding, we noticed that after the upgrade v3
-> v4 IPA issues certificates in UTF8STRING and as long as our CA crt was
still PRINTABLESTRING, it created miss-matched certificates. This could be
fixed by the CA crt renew.
J.
2017-01-04 16:46 GMT+01:00 Jan Orel <janorel at gmail.com>:
> Hello,
>
> recently we renewed our CA crt. Later we noticed the new CA certificate
> uses different encoding in Issuer and Subject:
>
> subject=
> organizationName = UTF8STRING:INTGDC.COM
> commonName = UTF8STRING:Certificate Authority
> issuer=
> organizationName = PRINTABLESTRING:INTGDC.COM
> commonName = PRINTABLESTRING:Certificate Authority
>
> The former CA certificate is PRINTABLESTRING in both fields, as well as
> all the older certs.
>
> Since the renewal we have issues with trusting newly issued certificates,
> which also have different encoding in subject and issuer.
>
> What should be the default (correct) encoding for the certificates?
>
> According to the: http://www.freeipa.org/page/Troubleshooting seems it
> should be UTF8
>
> but from the certmonger: https://git.fedorahosted.org/cgit/
> certmonger.git/commit/?id=e6ecd5d8df3413a9717c57ee7fb8702ece23afd6
>
> seems PRINTABLESTRING is used.
>
> How to fix? Do we need to re-new the CA certificate once again?
>
> Thank you
> Jan Orel
>
> We run:
> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> certmonger-0.78.4-1.el7.x86_64
> nuxwdog-1.0.3-4.el7_2.x86_64
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170111/135adbff/attachment.htm>
More information about the Freeipa-users
mailing list