[Freeipa-users] Adding SAN to default self-signed cert?

Fraser Tweedale ftweedal at redhat.com
Wed Aug 5 06:36:48 UTC 2015 

On Tue, Aug 04, 2015 at 08:01:13AM -0700, Janelle wrote:
> Trying to figure this out:
> 
> ipa host-add haproxy.example.com
> ipa service-add HTTP/haproxy.example.com at EXAMPLE.COM
> ipa service-add LDAP/haproxy.example.com at EXAMPLE.COM
> 
> ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com -N
> 'CN=haproxy.example.com,O=EXAMPLE.COM"
> 
> ^^^^^ this is where I am confused, because if I created a cert request for
> the new service, then why am I putting the name of the haproxy in the SAN?
> Unless I am completely misreading your suggestion?
> 
You need to add haproxy.example.com as a SAN of the IPA host, or
vice-versa.

Also, the service in the SAN must be "managed by" the host on which
the certificate is issued (i.e. the host in the CN).  You can do
this in the web UI: Services > {service} > Hosts > Add.  I do not
know of a way to do this via CLI - if someone knows a way please
shout out!

So if the IPA service is `HTTP/ipa.example.com' and load balancer
service `HTTP/haproxy.example.com' is managed by host
`ipa.example.com', you can run:

  ipa-getcert request {nssdb-options} -n haproxy-cert \
    -K HTTP/ipa.example.com \
    -N CN=ipa.example.com \
    -D haproxy.ipa.local

-K gives principal, -N gives DN and and -D gives dNSName SAN.

HTH,
Fraser

> Thank you
> ~J
> 
> On 8/2/15 8:53 PM, Fraser Tweedale wrote:
> >On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote:
> >>Hello everyone,
> >>
> >>I was wondering if anyone knows of a way to add SAN(s) to the self-signed
> >>certificate that are installed when you installed freeipa? Or am I stuck
> >>having to do a re-install and use new certificates?   If you try to run
> >>haproxy as a load balancer in front of the "ldap/http" servers, well, as you
> >>might guess the haproxy server name needs to be added somehow to the server
> >>configs so it is a SAN of the existing self-signed certs.  I can't think of
> >>any way to do it, but maybe some of the pki experts here have any idea?
> >>
> >>Thank you
> >>~Janelle
> >>
> >You do not need a SAN on the root certificate, but on the service
> >certificates.  This is supported: you first need to create a service
> >principal for the load balancer, then issue a new service
> >certificate with the haproxy SAN in the CSR (the getcert `-D' option
> >can be used to add a SAN to a certmonger request).
> >
> >HTH,
> >Fraser
> >
> >>-- 
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list