2:41 a.m.
I have a piece of equipment with a web interface, for which I would like to generate a
certificate. The web interface supports generating a CSR, but it's not possible to
customize very much, and this gives problems when trying to feed the CSR into FreeIPA.
The relevant parts of the CSR look like this:
Certificate Request:
Data:
Version: 2 (0x2)
Subject: emailAddress=redacted(a)example.com, C=redacted, ST=redacted, L=redacted,
O=redacted, OU=redacted, CN=equipment0.example.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: redacted
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
AB:84:B3:86:45:E9:66:86:F2:35:FB:88:56:B4:36:B4:1A:6A:B1:86
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:equipment0.example.local, DNS:169.254.0.1, IP Address:169.254.0.1
Signature Algorithm: sha256WithRSAEncryption
...
When feeding this CSR to FreeIPA, I get the following error:
The service principal for subject alt name 169.254.0.1 in certificate request does not
exist
I don't know where this 169.254.0.1 comes from, or how to change this. Is there a
workaround to make FreeIPA accept this? Can I create that as a HTTP service and attach to
the host?