[Freeipa-users] Use of SAN's with automatic certificates in FreeIPA 4

Dmitri Pal dpal at redhat.com
Fri Sep 12 19:19:47 UTC 2014 

On 09/12/2014 02:43 PM, Michael Lasevich wrote:
> That is awesome, but I am clearly missing some insight as to how this 
> is supposed to work. Can you point me to some more specific info on 
> how to accomplish this.
>
> I tried using the ipa-getcert request with multiple -D's from the 
> client, but got :
>
> ** Insufficient access: You need to be a member of the serviceadmin 
> role to add services
>
> Unless I am missing something,  I should probably not add each host to 
> "serviceadmins" for security reasons.

4.0 has a new permissions system this might yet to be another use case 
that we might have overlooked.
I will leave to developers to review this situation on Monday morning.

>
> So I then I tried generating a csr via openssl with SANs on the client 
> and then adding it using "ipa cert-request file.csr --prinicple 
> host/${client_hostname}@DOMAIN"  from ipa server as admin (just to be 
> sure) and got this error (where <ALIAS> is the first SAN):
>
> ** ipa: ERROR: The service principal for subject alt name <ALIAS> in 
> certificate request does not exist
>
> It sounds like I need to create service principal for each SAN, but I 
> can't seem to figure out how to do it (only allows me to create 
> service prinicpals for existing hosts)
>
> Any help or pointers would be greatly appreciated
>
> -M
>
> On Fri, Sep 12, 2014 at 4:12 AM, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     On 09/11/2014 09:25 PM, Michael Lasevich wrote:
>>     If I remember correctly, you could not use SAN (Subject Alternate
>>     Names) for certificates in FreeIPA 3.0 - is this still the case
>>     with 4?
>
>     https://fedorahosted.org/freeipa/ticket/3977 < 4.0 is able.
>
>>
>>     I have hosts that automatically receive two hostnames, a long
>>     proper name (like "service-i-12345678") and a simpler cname based
>>     on an index for ease of access (like "service-1") - however since
>>     OS hostname is the "proper" one, certs would typically be issued
>>     to that name. I want my users to be able to hit it via the
>>     simplex "index" names. Is that currently possible (esp given that
>>     the cnames are actualy in a different DNS domain)?
>>
>>     Thanks,
>>
>>     -M
>>
>>
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go To http://freeipa.org for more info on the project
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140912/cccd3dfd/attachment.htm>

More information about the Freeipa-users mailing list