William Graboyes wrote: > Hi list, > > The end goal is to eliminate self signed certs from user interaction > with FreeIPA, without having to roll out changes to each user in the > house (and remote locations). So basically changing the CA to a > trusted CA that will not bring "scare" the users with "Site security > cannot be verified, return to safety." > > The problem with the CN is that when it is read from the CSR the > CN="Certificate Authority". Which is not an acceptable CN according > to the tool we use for generating certs, The tool we use expects a CN > of something along the lines of example.com.
That sounds odd. The CN of a CA doesn't represent a machine or a specific domain, it represents itself. Granted Certificate Authority isn't all that unique a name either, but it's what we defaulted to, IIRC based on the dogtag defaults. Changing it might have other odd side-effects too as it's hardcoded in a few other places. I'm not exactly sure what would break, if anything. It sounds like your tool is issuing a server cert, not a CA cert. A server cert traditionally has used cn=FQDN,<rest of subject>. That doesn't really apply to a CA. So it's changeable if you hack some installer code, but there be dragons. rob > > Thanks, > Bill > > On 4/21/15 2:55 PM, Rob Crittenden wrote: >> William Graboyes wrote: >>> Hi List, >>> >>> I am having yet another issue, when I run the following command: >>> ipa-cacert-manage renew --external-ca >>> >>> It does output the CSR, however the CN is not a valid name >>> (Certificate Authority). Is it possible to change the output of >>> this command to use an external CA that requires a proper common >>> name to be in the CSR? >>> >>> What I am trying to do is change from the internal self signed >>> certs to an external CA signing system. >>> > >> What isn't valid about the name? > >> This would make the IPA CA a subordinate of the external CA. Is >> that what you want? > >> rob > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project