Hi,
I've tried to setup my freeIPA server on a freshly installed CentOS8 as a sub_CA of my existing PKI with private root-CA. My signing-CA has a match policy for (C)ountry and (O)rganizationName.
When trying to sign the CSR generated from freeIPA with command below it fails on a string encryption mismatch.
The string encryption on my organizationName, as well as my server DN is in PRINTABLESTRING encoding but my openssl generated signing cert needs it to be UTF8STRING.
I was under the impression UTF8STRING is default for freeIPA CSR's. What do I miss and how can I force it to be UTF8STRING?
CSR was generated with command:
ipa-server-install -r MYREALM.AS.UPPERCASE.DNSDOMAIN \
--external-ca \
--ca-subject CN=ipa-server-fqdn,C=SE,O=MyOrganizationName \
--ca-base C=SE,O=MyOrganizationName
Installation is successful and I'm supposed to sign the CSR and finalize ipa-install with second step. However, the signing fails because MyOranizationName != MyOrganizationName due to different encodings.
When looking at the CSR with "openssl req -noout -text -in ipa.csr" everything looks OK but when using "openssl asn1parse -in ipa.csr" it shows the mismatch of the organizationName PRINTABLESTRING compared to my successfully signed CSR's UTF8STRING.
Any ideas?
kernel version: 4.18.0-147.5.1.el8_1.x86_64
ipa-server: ipa-server-4.8.0-13.module_el8.1.0+265+e1e65be4.x86_64
openssl: openssl-1.1.1c-2.el8.x86_64
Regards,
/Fredrik