Currently the --subject option for ipa-server-install only allows you to add other attributes (e.g. O, OU, C) to the existing CN=Certificate Authority for the IPA CA. In some OSs, certificate authorities are only listed by CN (instead of other attributes in the DN), thus the rather bare entry of "Certificate Authority". In older versions of IPA, there was at least the realm added before such that you had EXAMPLE.COM Certificate Authority. It would be nice to be able to at a minimum return to this behavior, or, even better, be able to set the entire subject including the CN itself such that you would include the organization name in the CN.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=828866
Changing 3.2 priority
Also, --subject could be removed to --subject-base to be more describing what it is (originally proposed in #2574).
--subject
--subject-base
Stretch goal in 4.2.
Moving to 4.3, we are too close to 4.2 deadline to be able to handle this stretch RFE.
#5900 was closed as duplicate of this ticket.
Taking ownership.
master:
Reopening because ipa-ca-install fails unless both --subject-base and --ca-subject are specified.
ipa-ca-install
--ca-subject
Metadata Update from @sbingram: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.