On Mon, Oct 19, 2020 at 06:52:20AM -0000, Krzysztof O via
FreeIPA-users wrote:
> Hello,
>
> I'd like to ask of is there any workaround for issuing
> certificates that will have Common Name longer that 64 characters?
>
> For FREEIPA version less than 4.8.0 which is designated for RHEL
> 8, when we will have to stay with current version of RHEL 7.
>
> Regards, Krzysztof
Hi Krzysztof,
X.509 imposes the limit of 64 characters in the Common Name
attribute. There is no workaround to exceed this limit. But
assuming this is a host or service certificate bearing DNS names,
you can work around it another way:
Add a principal alias to the host/service entry via `ipa
{host,service}-add-principal command. The principal alias should
have the same service type as the main object, i.e.
"host/$HOSTNAME" for a host princpal, "HTTP/$HOSTNAME" for a HTTP
service principal, etc. The hostname in the principal alias should
be shorter than 64 characters.
Create a CSR with the shorter hostname in the CN attribute, and the
longer hostname in the SAN DNS name. Then you will be able to
request the certificate.
The proper solution would be to support issuing certificates with
empty subject DN. I thought I previously filed a ticket for this,
but I can't find it now.
Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
