You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When installing multiple instances on the same host sharing the same HSM, if subject_dn's are not specifically spelled out with unique names for each instance, installation will fail with complaints that same subject name and serial number already exist.
This happens in the scenario if you are creating a subordinate CA, for example, that's in the same domain name as the root CA. It is very inconvenient that you are expected to spell out subject dn's of all system certs in the pkispawn config file.
I think it would be much more convenient if we change default.cfg so that the instance name is in the default subject dn, e.g. adding it as an "ou" component:
ou=%(pki_instance_name)s
The text was updated successfully, but these errors were encountered:
From 1d1b3a7 Mon Sep 17 00:00:00 2001
From: Christina Fu cfu@dhcp-16-189.sjc.redhat.com
Date: Wed, 31 Aug 2016 14:03:02 -0700
Subject: [PATCH 02/10] Ticket 2446 pkispawn: make subject_dn defaults unique
per instance name (for shared HSM) When installing multiple instances on the
same host sharing the same HSM, if subject_dn's are not specifically spelled
out with unique names for each instance, installation will fail with
complaints that same subject name and serial number already exist. This
happens in the scenario if you are creating a subordinate CA, for example,
that's in the same domain name as the root CA. It is very inconvenient that
you are expected to spell out subject dn's of all system certs in the
pkispawn config file. This patch changes default.cfg so that the instance
name is in the default subject dn, e.g. adding it as an "ou" component:
ou=%(pki_instance_name)s
This issue was migrated from Pagure Issue #2446. Originally filed by cfu (@cfu) on 2016-08-25 01:44:37:
When installing multiple instances on the same host sharing the same HSM, if subject_dn's are not specifically spelled out with unique names for each instance, installation will fail with complaints that same subject name and serial number already exist.
This happens in the scenario if you are creating a subordinate CA, for example, that's in the same domain name as the root CA. It is very inconvenient that you are expected to spell out subject dn's of all system certs in the pkispawn config file.
I think it would be much more convenient if we change default.cfg so that the instance name is in the default subject dn, e.g. adding it as an "ou" component:
ou=%(pki_instance_name)s
The text was updated successfully, but these errors were encountered: