[Freeipa-users] Adding SAN to default self-signed cert?
Fraser Tweedale
ftweedal at redhat.com
Mon Aug 3 03:53:37 UTC 2015
On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote:
> Hello everyone,
>
> I was wondering if anyone knows of a way to add SAN(s) to the self-signed
> certificate that are installed when you installed freeipa? Or am I stuck
> having to do a re-install and use new certificates? If you try to run
> haproxy as a load balancer in front of the "ldap/http" servers, well, as you
> might guess the haproxy server name needs to be added somehow to the server
> configs so it is a SAN of the existing self-signed certs. I can't think of
> any way to do it, but maybe some of the pki experts here have any idea?
>
> Thank you
> ~Janelle
>
You do not need a SAN on the root certificate, but on the service
certificates. This is supported: you first need to create a service
principal for the load balancer, then issue a new service
certificate with the haproxy SAN in the CSR (the getcert `-D' option
can be used to add a SAN to a certmonger request).
HTH,
Fraser
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list