Hi, on all FreeIPA instances I have the case that the webserver certificate has the same Issuer and CRLissuer. While it looks reasonable for FreeIPA to have the same here, it looks like it doesn't match RFC5280.
RFC5280 says: "... either distributionPoint or cRLIssuer MUST be present. If the certificate issuer is not the CRL issuer, then the cRLIssuer field MUST be present and contain the Name of the CRL issuer. If the certificate issuer is also the CRL issuer, then conforming CAs MUST omit the cRLIssuer field and MUST include the distributionPoint field." If I understand this correctly then the CRLissuer MUST NOT be given in the certificate. But it is always set. Am I wrong? kind regards, Frank -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
