On Tue, Nov 17, 2020 at 06:21:51PM -0000, A. Karampatziakis via FreeIPA-users wrote: > Hi Fraser, > > Thanks for the quick reply. > We had tried the --ca-subject before with no success.. > It turns out the problem was with the order of the components in the DN. > Your comment helped to go through the contents of the files once more. :) > > The csr had: > Subject: CN = XXxXxxX YYyY,O = XXxX XxX,C = XX > Whereas the certificate returned by the root-ca had: > Subject: C = XX,O = XXxX XxX,CN = XXxXxxX YYyY > > FreeIPA was giving a clear enough message.. > ipapython.admintool: ERROR IPA CA certificate with subject > 'CN=XXxXXX,O=XXxXX,C=XX' was not found in /root/server.crt,/root/ca.crt. > Hi Anestis,
So the root CA is reordering the RDNs. What software is used by the root CA? Maybe its configuration or the certificate profile/template can be altered to give the desired result. Otherwise, try again using --ca-subject but give the RDNs in the order the CA used (C,O,CN). Maybe the CA will agree (or maybe it will reverse the order back to (CN,O,C). Note that different programs express RDNs in different order. FreeIPA and NSS have "most specific" RDN at the left, whereas OpenSSL have "most specific" RDN at the right. It is possible this resulted in a confusion and misconfiguration somewhere? Cheers, Fraser > > Regards, > Anestis > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
