[Freeipa-users] Use of SAN's with automatic certificates in FreeIPA 4
Michael Lasevich
mlasevich at lasevich.net
Fri Sep 12 18:43:54 UTC 2014
That is awesome, but I am clearly missing some insight as to how this is
supposed to work. Can you point me to some more specific info on how to
accomplish this.
I tried using the ipa-getcert request with multiple -D's from the client,
but got :
** Insufficient access: You need to be a member of the serviceadmin role to
add services
Unless I am missing something, I should probably not add each host to
"serviceadmins" for security reasons.
So I then I tried generating a csr via openssl with SANs on the client and
then adding it using "ipa cert-request file.csr --prinicple
host/${client_hostname}@DOMAIN" from ipa server as admin (just to be sure)
and got this error (where <ALIAS> is the first SAN):
** ipa: ERROR: The service principal for subject alt name <ALIAS> in
certificate request does not exist
It sounds like I need to create service principal for each SAN, but I can't
seem to figure out how to do it (only allows me to create service
prinicpals for existing hosts)
Any help or pointers would be greatly appreciated
-M
On Fri, Sep 12, 2014 at 4:12 AM, Dmitri Pal <dpal at redhat.com> wrote:
> On 09/11/2014 09:25 PM, Michael Lasevich wrote:
>
> If I remember correctly, you could not use SAN (Subject Alternate
> Names) for certificates in FreeIPA 3.0 - is this still the case with 4?
>
>
> https://fedorahosted.org/freeipa/ticket/3977 < 4.0 is able.
>
>
> I have hosts that automatically receive two hostnames, a long proper name
> (like "service-i-12345678") and a simpler cname based on an index for ease
> of access (like "service-1") - however since OS hostname is the "proper"
> one, certs would typically be issued to that name. I want my users to be
> able to hit it via the simplex "index" names. Is that currently possible
> (esp given that the cnames are actualy in a different DNS domain)?
>
> Thanks,
>
> -M
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140912/006d1535/attachment.htm>
More information about the Freeipa-users
mailing list