On 11/08/2013 04:56 AM, Petr Viktorin wrote: > On 11/08/2013 09:01 AM, Martin Kosek wrote: >> Thanks for heads up. You mean by the difference between "O=MW" and >> "O=MELTWATER.COM"?
>> Petr, is this possible? Can it be validated in the the installer if this is >> the >> root cause? Thats a good question. Typically with cert validation only the CN component in the subject is cross checked. More aggressive validators are free to examine all RDN's in the subject (not sure what the PKIX behavior is with respect other RDN's). Of course this isn't cert validation but validating a CSR is closely related. The first place I would look is the Dogtag policy. > It is possible. It's hard to tell without the logs; looks like the > failure was inside Dogtag. There may be more issues; for instance I > don't think we considered PEM files with extra data before the BEGIN > CERTIFICATE. > I filed a ticket to investigate: > https://fedorahosted.org/freeipa/ticket/4019 FWIW I've authored a set of Python utilities to work with pem files for OpenStack. They work just fine with PEM blocks embedded with non-PEM text. I was thinking the utilities would also be useful in FreeIPA (in fact my experience in IPA is what guided the development of these utilities. I'll try to get them up in a git repo shortly and send a pointer. -- John _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
