[Freeipa-users] bad certificate used to sign freeipa
Fraser Tweedale
ftweedal at redhat.com
Mon Mar 13 02:36:43 UTC 2017
On Fri, Mar 10, 2017 at 01:16:42PM +0100, Harald Dunkel wrote:
> Hi folks,
>
> I stumbled over this problem:
>
> http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html
>
> The details don't really matter. The important point is that
> the root certificate used to sign freeipa's certificate
> appears to be unacceptable on openBSD and maybe others.
>
> What would you suggest? Is there a guideline to migrate
> freeipa to a new certificate authority?
>
>
> Every helpful comment is highly appreciated
> Harri
>
The issue in that thread was resolved. It was caused by invalid
encoding of the notAfter field. I think OpenBSD uses LibreSSL in
their base system - and I guess it adheres more strictly to RFC 5280
than other implementations.
As for migrating to a new CA (or merely installing a newer
certificate for the original CA, with correct encoding), you can do
it via ipa-cacert-mangage(1).
Cheers,
Fraser
More information about the Freeipa-users
mailing list