Hello, I want to use the company's MS-CA as the single CA and thus I had to change the FreeIPA certificate. The process was smooth until the point of importing the certificate in the FreeIPA. I got this: =============================================== ipa-cacert-manage renew --external-cert-file=./ms-crt.pem Importing the renewed CA certificate, please wait Subject name encoding mismatch (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. ===============================================
The documentation is very clear: FreeIPA issues CSRs in UTF8. The MS-CA uses PRINTABLESTRING in the subject and the issuer. The MS admins/engineer do not want to change this to UTF 8, so, I am a little bit stuck here.
Is there anyway to configure FreeIPA to issue the CSR in PRINTABLESTRING and import it? Or the only acceptable by FreeIPA format is UTF8?
No one????
Only UTF-8 is allowed. Re-sign with UTF-8.
John
On 12 Sep 2018, at 16:37, Peter Tselios via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
No one???? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Thu, Sep 06, 2018 at 10:00:00AM -0000, Peter Tselios via FreeIPA-users wrote:
Hello, I want to use the company's MS-CA as the single CA and thus I had to change the FreeIPA certificate. The process was smooth until the point of importing the certificate in the FreeIPA. I got this: =============================================== ipa-cacert-manage renew --external-cert-file=./ms-crt.pem Importing the renewed CA certificate, please wait Subject name encoding mismatch (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. ===============================================
The documentation is very clear: FreeIPA issues CSRs in UTF8. The MS-CA uses PRINTABLESTRING in the subject and the issuer. The MS admins/engineer do not want to change this to UTF 8, so, I am a little bit stuck here.
Is there anyway to configure FreeIPA to issue the CSR in PRINTABLESTRING and import it? Or the only acceptable by FreeIPA format is UTF8?
Hi Peter,
The mismatch between the CSR and the issued certificate is not the problem. Generating a CSR with PRINTABLESTRING encoding will not help.
The problem is that the new certificate's DN encoding differs from the existing CA certificate subject DN. Many programs will encounter problems if the CA subject DN encoding changes (i.e. they perform binary exact match on DNs and do not recognise the new certificate as the same CA). Therefore we do not allow the Subject DN encoding to change. You will have to plead with your AD admins to allow the certificate to be issued with string encodings that match the existing certificate.
Incidentally, FreeIPA will accept any valid string encoding during installation. But the encoding must remain the same when renewing the CA certificate (which includes switching from self-signed to externally-signed or vice-versa).
Hope that has helped you understand this limitation.
Cheers, Fraser
Yes, thank you very much Frazer. So, the only option (at least when you switch from Self-Signed to an external one), is to use UTF8 and nothing else.
Many thanks.
freeipa-users@lists.fedorahosted.org