[Freeipa-users] Wildcard SSL

Jan Cholasta jcholast at redhat.com
Mon Sep 23 14:00:56 UTC 2013 

On 16.9.2013 01:20, Andrew Lau wrote:
>
> On Mon, Sep 16, 2013 at 4:23 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 09/14/2013 04:00 AM, Andrew Lau wrote:
>>     Hi,
>>
>>     I have a reverse proxy infront of many of my hosts, each of the
>>     virtual hosts have their own SSL cert, currently with FreeIPA I'm
>>     adding hosts for each virtual host and then creating a cert.
>>
>>     From what I've found, it doesn't seem to be possible to do a
>>     wildcard ssl through FreeIPA, I tried exporting the ca root
>>     private key to manually sign a wildcard cert with no success. I
>>     may have done that wrong.
>>
>>     Any suggestions?
>
>     Is this what you are looking for?
>     https://fedorahosted.org/freeipa/ticket/3475
>
>     It is currently on a distant roadmap but help always welcome.
>
>>
>>     Thanks,
>>     Andrew
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/  <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> Yeah.
>
> Is there any way of manually doing that now by pulling the root ca and
> key out to sign a cert?

You can do it manually via Dogtag.

First, import the client cert from /root/ca-agent.p12 found on your IPA 
server to your web browser.

Then, navigate your web browser to 
https://ipaserver:8443/ca/ee/ca/profileSelect?profileId=caServerCert, 
paste the wildcard CSR in the form and submit it.

Then, navigate your web browser to 
https://ipaserver:8443/ca/agent/ca/listRequests.html, find your request 
and approve it. This should give you the signed certificate.

Honza

-- 
Jan Cholasta

More information about the Freeipa-users mailing list