On Wed, Apr 3, 2024 at 5:24 AM Travis West via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org> wrote:
That's exactly my point. I would expect subject and issuer to display the components in the same order (ending with O=IPA.****.NET). The subject was provided to openssl req command, you can try to provide it in the reverse order.
If I look at the p12 file I created from the it has them listed in the correct order for Subject, but the Issuer line is reversed from what getcert shows
subject=/CN=OCSP Subsystem/O=IPA.****.NET issuer=/O=IPA.****.NET/CN=Certificate Authority
subject=/CN=CA Subsystem/O=IPA.****.NET issuer=/O=IPA.****.NET/CN=Certificate Authority
subject=/CN=CA Audit/O=IPA.****.NET issuer=/O=IPA.****.NET/CN=Certificate Authority
The CSR was created using this command
openssl req -new -sha256 -key ocsp.key -subj "/CN=OCSP Subsystem /O=IPA.SUPERB.NET" -out ocsp.csr
The certificate was requested using this command
x509 -req -in ocsp.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out ocsp.crt -days 3650 -sha256
So you're saying in that CSR req to swap CN and O for that -subj flag?