[Freeipa-users] Wildcard SSL
Jan Cholasta
jcholast at redhat.com
Mon Sep 23 14:00:56 UTC 2013
On 16.9.2013 01:20, Andrew Lau wrote:
>
> On Mon, Sep 16, 2013 at 4:23 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 09/14/2013 04:00 AM, Andrew Lau wrote:
>> Hi,
>>
>> I have a reverse proxy infront of many of my hosts, each of the
>> virtual hosts have their own SSL cert, currently with FreeIPA I'm
>> adding hosts for each virtual host and then creating a cert.
>>
>> From what I've found, it doesn't seem to be possible to do a
>> wildcard ssl through FreeIPA, I tried exporting the ca root
>> private key to manually sign a wildcard cert with no success. I
>> may have done that wrong.
>>
>> Any suggestions?
>
> Is this what you are looking for?
> https://fedorahosted.org/freeipa/ticket/3475
>
> It is currently on a distant roadmap but help always welcome.
>
>>
>> Thanks,
>> Andrew
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Yeah.
>
> Is there any way of manually doing that now by pulling the root ca and
> key out to sign a cert?
You can do it manually via Dogtag.
First, import the client cert from /root/ca-agent.p12 found on your IPA
server to your web browser.
Then, navigate your web browser to
https://ipaserver:8443/ca/ee/ca/profileSelect?profileId=caServerCert,
paste the wildcard CSR in the form and submit it.
Then, navigate your web browser to
https://ipaserver:8443/ca/agent/ca/listRequests.html, find your request
and approve it. This should give you the signed certificate.
Honza
--
Jan Cholasta
More information about the Freeipa-users
mailing list