[Freeipa-users] Adding SAN to default self-signed cert?

[Janelle]

Trying to figure this out:

ipa host-add haproxy.example.com
ipa service-add HTTP/haproxy.example.com at EXAMPLE.COM
ipa service-add LDAP/haproxy.example.com at EXAMPLE.COM

ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com 
-N 'CN=haproxy.example.com,O=EXAMPLE.COM"

^^^^^ this is where I am confused, because if I created a cert request 
for the new service, then why am I putting the name of the haproxy in 
the SAN? Unless I am completely misreading your suggestion?

Thank you
~J

On 8/2/15 8:53 PM, Fraser Tweedale wrote:
> On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote:
>> Hello everyone,
>>
>> I was wondering if anyone knows of a way to add SAN(s) to the self-signed
>> certificate that are installed when you installed freeipa? Or am I stuck
>> having to do a re-install and use new certificates?   If you try to run
>> haproxy as a load balancer in front of the "ldap/http" servers, well, as you
>> might guess the haproxy server name needs to be added somehow to the server
>> configs so it is a SAN of the existing self-signed certs.  I can't think of
>> any way to do it, but maybe some of the pki experts here have any idea?
>>
>> Thank you
>> ~Janelle
>>
> You do not need a SAN on the root certificate, but on the service
> certificates.  This is supported: you first need to create a service
> principal for the load balancer, then issue a new service
> certificate with the haproxy SAN in the CSR (the getcert `-D' option
> can be used to add a SAN to a certmonger request).
>
> HTH,
> Fraser
>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project