> On Wed, Apr 3, 2024 at 5:24 AM Travis West via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org> wrote: > > That's exactly my point. I would expect subject and issuer to display the > components in the same order (ending with O=IPA.****.NET). The subject was > provided to openssl req command, you can try to provide it in the reverse > order.
If I look at the p12 file I created from the it has them listed in the correct order for Subject, but the Issuer line is reversed from what getcert shows subject=/CN=OCSP Subsystem/O=IPA.****.NET issuer=/O=IPA.****.NET/CN=Certificate Authority subject=/CN=CA Subsystem/O=IPA.****.NET issuer=/O=IPA.****.NET/CN=Certificate Authority subject=/CN=CA Audit/O=IPA.****.NET issuer=/O=IPA.****.NET/CN=Certificate Authority The CSR was created using this command openssl req -new -sha256 -key ocsp.key -subj "/CN=OCSP Subsystem /O=IPA.SUPERB.NET" -out ocsp.csr The certificate was requested using this command x509 -req -in ocsp.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out ocsp.crt -days 3650 -sha256 So you're saying in that CSR req to swap CN and O for that -subj flag? -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue