I have created an internal CA with openssl for my company with a sub ca for 
signing certain services such as FreeIPA root CA's problem I am having is I 
have signed the csr and uploaded it back to the freeipa server but when I try 
to run the second part of the install it errors out. The following is the 
command used to run the second part of the install:
ipa-server-install   --external-cert-file=/root/ipa.crt   
--external-cert-file=/root/internal-ca.cert.pem

this is the output:
The log file for this installation can be found in 
/var/log/ipaserver-install.log
Directory Manager password: 

==============================================================================
This program will set up the IPA Server.
Version 4.12.2

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure SID generation
  * Configure the KDC to enable PKINIT

IPA CA certificate with subject 'CN=Certificate Authority,O=EAJ Global,OU=UK 
Internal Certificate Authority,C=GB' was not found in 
/root/ipa.crt,/root/internal-ca.cert.pem.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
more information

I used openssl to verify the certificate subject matches:
root@ipa1:~# openssl x509 -in /root/ipa.crt -noout -subject
subject=C=GB, O=EAJ Global, OU=UK Internal Certificate Authority, 
CN=Certificate Authority

Only difference i see is the order of the subject line. But the subject itself 
is still valid.

I am running Fedora 42 with the latest version in the repos installed.

Any help would be appreciated.
-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to