On Tue, Nov 17, 2020 at 12:53:19PM -0000, A. Karampatziakis via FreeIPA-users wrote: > Hi all, > > For a project we want to use FreeIPA with external CA. > We are using v4.6.6 on centos7.8. > > The guides instruct to use command ”ipa-server-install --external-ca”, get > the CSR and run the install command again using the signed certificate. > > Issue 1: key length is 2048 > Fix: Found that this can be changed in file > /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py > Add under: > # CA key algorithm > # config.set("CA", "pki_ca_signing_key_size", 4096) > > Issue 2: Subject DN > The subject on the certificate request is > “CN=Certificate Authority,O=[realm]” > but the root-ca requires us to have in the format: > CN=FREEIPA 2020,serialNumber=XxXx,O=xxx,C=XX > Q: Is it possible to install the FreeIPA server using the external > root-ca and a signed certificate from the beginning? (csr created > outside ipa-server-install command) > Not at this time. Maybe in the future. > Q: Is it possible to alter the information on the certificate > request to match the root-ca’s requirements? > Use the `--ca-subject' option of ipa-server-install.
Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org