On 19/10/2020 15.17, Krzysztof O via FreeIPA-users wrote:
> Krzysztof O via FreeIPA-users wrote:
> RFC 3280 defines the upper-bound of common name at 64 and is mandatory.
> What problem is this causing?
When issuing CSR from the overcloud nodes, the CN field value exceeds the 64 characters
limit and the request fails. We expect to be able to issue CSRs for FQDNs longer than 64
The domain cannot be shortened, at least the customer subdomain so we need a solution
which will allow us to deploy a RHOSP cluster with TLS everywhere enabled, when the FQDN
used in CN is longer than 64 characters.
This is not possible. RFC 3280 limits the upper bound for common name to
64 octets. From https://tools.ietf.org/html/rfc3280#appendix-A.1
ub-common-name INTEGER ::= 64
A certificate with a longer common name would be in violation of the
standard and therefore an invalid certificate.
In general hostnames with more than 64 octets are badly supported by
Linux kernel. For example gethostname() and uname()'s utsname->nodename
are limited to 64 characters. You are going to run into more issues.
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/
, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael