Hello, I generated a CSR from the CLI in order to be signed by an MS-CA. The MS-CA complains about missing country information, which is a mandatory field. I checked the CSR and the subject line is:
subject=O = INMLXD.EXAMPLE.COM, CN = Certificate Authority
So, no country, no city, nothing. How do I add those information in the FreeIPA? What is the configuration file used by the cert-part of it?
Peter Tselios via FreeIPA-users wrote:
Hello, I generated a CSR from the CLI in order to be signed by an MS-CA. The MS-CA complains about missing country information, which is a mandatory field. I checked the CSR and the subject line is:
subject=O = INMLXD.EXAMPLE.COM, CN = Certificate Authority
So, no country, no city, nothing. How do I add those information in the FreeIPA? What is the configuration file used by the cert-part of it?
Are you sure you are issuing a CA cert on the AD side and not a server cert?
rob
I talked with some friends. It looks like the only way to alter this information is during the installation only (when you specify an external CA) and there is no way to change it afterwards.
On Wed, Sep 12, 2018 at 02:36:23PM -0000, Peter Tselios via FreeIPA-users wrote:
I talked with some friends. It looks like the only way to alter this information is during the installation only (when you specify an external CA) and there is no way to change it afterwards.
That's correct. When installing FreeIPA the CA Subject DN is completely configurable via the `--ca-subject=...` option.
After installation the CA subject DN cannot be changed. This is due to X.509 itself, not specific to FreeIPA.
There are hacks to change the CA Subject DN in FreeIPA, but the process is complicated and unsupported.
Cheers, Fraser
freeipa-users@lists.fedorahosted.org