[Freeipa-users] External cert with correct CSR?
Fraser Tweedale
ftweedal at redhat.com
Thu May 4 01:47:06 UTC 2017
On Tue, May 02, 2017 at 11:10:12AM -0500, Kat wrote:
> Yeah, after I sent this email, I realized what I was trying to do and that,
> "Oh wait, this is not really going to work."
>
Indeed. This feature is usually used to chain an IPA CA into an
organisation's existing PKI, which is controlled by the
organisation, thus they can add whatever they need to the cert
regardless of what is/is not asserted by the CSR).
Cheers,
Fraser
> For what it is worth - version on RHEL 7.3 - 4.4.0-14.el7_3.7
>
> -K
>
> On 5/2/17 11:04 AM, Rob Crittenden wrote:
> > Kat wrote:
> > > Hi all,
> > >
> > > I am somewhat confused trying to get the process of using an external
> > > cert for IPA.
> > >
> > > If I follow step 1:
> > > ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM
> > > --external-ca -U
> > >
> > > This does indeed generate a CSR, but trying to do anything with this CSR
> > > has no success since it is not properly formed with all info. In
> > > otherwords, ipa does not add country, state, location, etc. If I submit
> > > this CSR to any cert company, it will of course, complain. Is there a
> > > way to get this right? Or am I just missing something here?
> > >
> > What cert company are you trying to get to sign this? This is a CA cert,
> > I don't know that any of the major ones will sign this, at least not
> > without a huge check.
> >
> > What version of IPA?
> >
> > rob
> >
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list