As mentioned in #95 (closed), I want to be able to change the default CA Subject
openssl x509 -in /etc/ipa/ca.crt -noout -subject
subject=O = TEST.EXAMPLE.COM, CN = Certificate Authoritywith this change:
$realm = 'TEST.EXAMPLE.COM'
class { 'freeipa' :
[...]
ca_subject => "CN=Secondary Certificate Authority,O=${realm}"
}openssl x509 -in /etc/ipa/ca.crt -noout -subject
subject=O = TEST.EXAMPLE.COM, CN = Secondary Certificate AuthorityAs mentioned in the ipa-server-install --help:
--ca-subject=CA_SUBJECT
The CA certificate subject DN (default CN=Certificate
Authority,O=<realm-name>). RDNs are in LDAP order
(most specific RDN first). There is no option --ca-subject in ipa-replica-install --help, so I guess you can’t set it, but I don’t have a setup to test it, so I do not know what is the exact behavior when creating a replica using with the --setup-ca option.
Also, the test for --ca-subject is quite hard to do for this, as it imply running openssl x509 as shown, so would only be possible to run in acceptance, and even so quite hard to run I think. Therefore I did not add any. If you think it should be done at all cost, I’m not sure how I would proceed…