On Tue, Nov 17, 2020 at 12:53:19PM -0000, A. Karampatziakis via FreeIPA-users
wrote:
> Hi all,
>
> For a project we want to use FreeIPA with external CA.
> We are using v4.6.6 on centos7.8.
>
> The guides instruct to use command ”ipa-server-install --external-ca”, get
> the CSR and run the install command again using the signed certificate.
>
> Issue 1: key length is 2048
> Fix: Found that this can be changed in file
> /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py
> Add under:
> # CA key algorithm
> # config.set("CA", "pki_ca_signing_key_size", 4096)
>
> Issue 2: Subject DN
> The subject on the certificate request is
> “CN=Certificate Authority,O=[realm]”
> but the root-ca requires us to have in the format:
> CN=FREEIPA 2020,serialNumber=XxXx,O=xxx,C=XX
> Q: Is it possible to install the FreeIPA server using the external
> root-ca and a signed certificate from the beginning? (csr created
> outside ipa-server-install command)
>
Not at this time. Maybe in the future.
> Q: Is it possible to alter the information on the certificate
> request to match the root-ca’s requirements?
>
Use the `--ca-subject' option of ipa-server-install.
Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
