[Freeipa-users] --subject option for ipa-server-install
Rob Crittenden
rcritten at redhat.com
Tue Apr 10 14:17:03 UTC 2012
Stephen Ingram wrote:
> On Mon, Apr 9, 2012 at 12:00 PM, Stephen Ingram<sbingram at gmail.com> wrote:
>> On Mon, Apr 9, 2012 at 11:35 AM, Dmitri Pal<dpal at redhat.com> wrote:
>>> On 04/09/2012 02:25 PM, Stephen Ingram wrote:
>>>> In an attempt to make the CA certificate from IPA a little more
>>>> noticeable for the users in our realm I've successfully used the
>>>> --subject option during the ipa-server-install process. It seems
>>>> however, that you cannot change the CN from the default "Certificate
>>>> Authority". I've added O=, OU= and C=, but as some certificate
>>>> managers in browsers/os's (i.e. Mac OS X) organize certificates by CN
>>>> name, it would be nice to point to something representing the company
>>>> name instead of the generic Certificate Authority. It even seems that
>>>> in the older 2.0 release candidates, they used the default "REALM
>>>> Certificate Authority" for the CN instead of just Certificate
>>>> Authority. Can this be easily changed so that at least the realm could
>>>> be slipped in front of Certificate Authority or customize the CN
>>>> altogether?
>>>>
>>>
>>> Please open an RFE ticket.
>>
>> Done. Ticket 2614.
>
> In the meantime, I've changed
> /usr/lib/python2.x/site-packages/ipaserver/install/cainstance.py to
> force a CN and obtained a successful install. After the install,
> trying to create a cert failed so I also patched
> /usr/lib/python2.x/site-packages/ipalib/x509.py to allow for the
> different CN. Is there anywhere else I could get into trouble later on
> that might also need to be changed?
I think you might have issues if you try to install a replica. You'd
probably need to change ipaserver/install/certs.py, plus duplicate the
other changes as well.
rob
More information about the Freeipa-users
mailing list