Let me ask this a different way. What is the easiest method of using a trusted third party cert for the web UI?
Running IPA 4.1.0 on Centos 7. Thanks, Bill On 4/30/15 1:44 PM, Rob Crittenden wrote: > William Graboyes wrote: > > Hi list, > > > > The end goal is to eliminate self signed certs from user interaction > > with FreeIPA, without having to roll out changes to each user in the > > house (and remote locations). So basically changing the CA to a > > trusted CA that will not bring "scare" the users with "Site security > > cannot be verified, return to safety." > > > > The problem with the CN is that when it is read from the CSR the > > CN="Certificate Authority". Which is not an acceptable CN according > > to the tool we use for generating certs, The tool we use expects a CN > > of something along the lines of example.com. > > That sounds odd. The CN of a CA doesn't represent a machine or a > specific domain, it represents itself. Granted Certificate Authority > isn't all that unique a name either, but it's what we defaulted to, IIRC > based on the dogtag defaults. > > Changing it might have other odd side-effects too as it's hardcoded in a > few other places. I'm not exactly sure what would break, if anything. > > It sounds like your tool is issuing a server cert, not a CA cert. A > server cert traditionally has used cn=FQDN,<rest of subject>. That > doesn't really apply to a CA. > > So it's changeable if you hack some installer code, but there be dragons. > > rob > > > > Thanks, > > Bill > > > > On 4/21/15 2:55 PM, Rob Crittenden wrote: > >> William Graboyes wrote: > >>> Hi List, > >>> > >>> I am having yet another issue, when I run the following command: > >>> ipa-cacert-manage renew --external-ca > >>> > >>> It does output the CSR, however the CN is not a valid name > >>> (Certificate Authority). Is it possible to change the output of > >>> this command to use an external CA that requires a proper common > >>> name to be in the CSR? > >>> > >>> What I am trying to do is change from the internal self signed > >>> certs to an external CA signing system. > >>> > > > >> What isn't valid about the name? > > > >> This would make the IPA CA a subordinate of the external CA. Is > >> that what you want? > > > >> rob > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project