Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem <...skipped...> ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA? Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA Validity Not Before: Oct 24 11:43:13 2018 GMT Not After : Oct 21 11:43:13 2028 GMT Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: <...skipped...> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81 X509v3 Authority Key Identifier: keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption <...skipped...>
Thanks!!