Discussion:
[Freeipa-users] External cert with correct CSR?
Kat
2017-05-02 15:44:15 UTC
Permalink
Hi all,

I am somewhat confused trying to get the process of using an external
cert for IPA.

If I follow step 1:
ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM --external-ca -U

This does indeed generate a CSR, but trying to do anything with this CSR
has no success since it is not properly formed with all info. In
otherwords, ipa does not add country, state, location, etc. If I submit
this CSR to any cert company, it will of course, complain. Is there a
way to get this right? Or am I just missing something here?

Thanks

K
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Rob Crittenden
2017-05-02 16:04:41 UTC
Permalink
Post by Kat
Hi all,
I am somewhat confused trying to get the process of using an external
cert for IPA.
ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM
--external-ca -U
This does indeed generate a CSR, but trying to do anything with this CSR
has no success since it is not properly formed with all info. In
otherwords, ipa does not add country, state, location, etc. If I submit
this CSR to any cert company, it will of course, complain. Is there a
way to get this right? Or am I just missing something here?
What cert company are you trying to get to sign this? This is a CA cert,
I don't know that any of the major ones will sign this, at least not
without a huge check.

What version of IPA?

rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Kat
2017-05-02 16:10:12 UTC
Permalink
Yeah, after I sent this email, I realized what I was trying to do and
that, "Oh wait, this is not really going to work."

For what it is worth - version on RHEL 7.3 - 4.4.0-14.el7_3.7

-K
Post by Rob Crittenden
Post by Kat
Hi all,
I am somewhat confused trying to get the process of using an external
cert for IPA.
ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM
--external-ca -U
This does indeed generate a CSR, but trying to do anything with this CSR
has no success since it is not properly formed with all info. In
otherwords, ipa does not add country, state, location, etc. If I submit
this CSR to any cert company, it will of course, complain. Is there a
way to get this right? Or am I just missing something here?
What cert company are you trying to get to sign this? This is a CA cert,
I don't know that any of the major ones will sign this, at least not
without a huge check.
What version of IPA?
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Fraser Tweedale
2017-05-04 01:47:06 UTC
Permalink
Yeah, after I sent this email, I realized what I was trying to do and that,
"Oh wait, this is not really going to work."
Indeed. This feature is usually used to chain an IPA CA into an
organisation's existing PKI, which is controlled by the
organisation, thus they can add whatever they need to the cert
regardless of what is/is not asserted by the CSR).

Cheers,
Fraser
For what it is worth - version on RHEL 7.3 - 4.4.0-14.el7_3.7
-K
Post by Rob Crittenden
Post by Kat
Hi all,
I am somewhat confused trying to get the process of using an external
cert for IPA.
ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM --external-ca -U
This does indeed generate a CSR, but trying to do anything with this CSR
has no success since it is not properly formed with all info. In
otherwords, ipa does not add country, state, location, etc. If I submit
this CSR to any cert company, it will of course, complain. Is there a
way to get this right? Or am I just missing something here?
What cert company are you trying to get to sign this? This is a CA cert,
I don't know that any of the major ones will sign this, at least not
without a huge check.
What version of IPA?
rob
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...