On Thu, Sep 06, 2018 at 10:00:00AM -0000, Peter Tselios via FreeIPA-users wrote:
I want to use the company's MS-CA as the single CA and thus I had to change the
The process was smooth until the point of importing the certificate in the FreeIPA.
I got this:
ipa-cacert-manage renew --external-cert-file=./ms-crt.pem
Importing the renewed CA certificate, please wait
Subject name encoding mismatch (visit http://www.freeipa.org/page/Troubleshooting
The ipa-cacert-manage command failed.
The documentation is very clear: FreeIPA issues CSRs in UTF8.
The MS-CA uses PRINTABLESTRING in the subject and the issuer.
The MS admins/engineer do not want to change this to UTF 8, so, I am a little bit stuck
Is there anyway to configure FreeIPA to issue the CSR in PRINTABLESTRING and import it?
Or the only acceptable by FreeIPA format is UTF8?
The mismatch between the CSR and the issued certificate is not the
problem. Generating a CSR with PRINTABLESTRING encoding will not
The problem is that the new certificate's DN encoding differs from
the existing CA certificate subject DN. Many programs will
encounter problems if the CA subject DN encoding changes (i.e. they
perform binary exact match on DNs and do not recognise the new
certificate as the same CA). Therefore we do not allow the Subject
DN encoding to change. You will have to plead with your AD admins
to allow the certificate to be issued with string encodings that
match the existing certificate.
Incidentally, FreeIPA will accept any valid string encoding during
installation. But the encoding must remain the same when renewing
the CA certificate (which includes switching from self-signed to
externally-signed or vice-versa).
Hope that has helped you understand this limitation.