On Mon, Sep 09, 2019 at 11:12:54AM +0100, lejeczek wrote: > On 09/09/2019 01:07, Fraser Tweedale wrote: > > On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote: > >> hi guys, > >> > >> how to manage those? > >> > >> Why are these missing in "standard" IPA installations and how to get > >> them in? > >> > >> many thanks, L. > >> > > Do you mean in the IPA CA certificate, or in the end-entity > > certificates? > > > > If the CA certificate, use the --ca-subject option to specify the > > full subject DN you desire. Note that you can only do this upon > > installation; there is no way to change the subject of the CA after > > installation. > > Yes, I learned that bit in the meanwhile, I think on your blog. > > Will it ever be possible to change CA's cert after installation at any time? > If you mean changing the CA's Subject DN, then the short answer is no. The long answer is these blog posts:
- https://frasertweedale.github.io/blog-redhat/posts/2017-11-20-changing-ca-subject-dn-part-i - https://frasertweedale.github.io/blog-redhat/posts/2017-11-22-changing-ca-subject-dn-part-ii-freeipa.html tl;dr it is possible, but risky and unsupported and really, don't do that :) Cheers, Fraser > many thanks, L. > > > > > For end-entity certificates, upon installation you can use the > > --subject-base option to specify the desired "subject base DN", to > > which the Common Name (CN) will be appended. For existing > > installations you can use the 'ipa certprofile-*' commands to import > > or modify profile configurations. You will want to tweak the > > configuration of the 'subjectNameDefaultImpl' component to put > > include the desired attributes. > > > > Cheers, > > Fraser > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
