[Freeipa-users] subjectAlternitiveName for webservice
Matt .
yamakasi.014 at gmail.com
Fri Mar 6 13:25:57 UTC 2015
Hi Martin,
Thanks, I saw that ticket but didn't got to the wiki part yet.
What I wonder in Step 6:
6. Request a signed certificate for the service and see the entry in
Certmonger. In case you created a NSS database with a PIN (see the
step 3.), use -P $PIN or -p /etc/httpd/nssdb/pwdfile.txt option to
tell certmonger about it: # ipa-getcert request -d /etc/httpd/nssdb -n
Server-Cert -K HTTP/`hostname` -N CN=`hostname`,O=EXAMPLE.COM -g 2048
-p /etc/httpd/nssdb/pwdfile.txt
SAN names: in FreeIPA 4.0 and later, you can add optional SAN DNS
names to your request with -D. Note that you need to first create
respective host or service objects and configure that given host can
manage them with service-add-host or host-add-managedby command. These
objects are being verified when FreeIPA cert-req command authorizes
the SAN names.
Can I just add the alt names in that command, how should I proceed ? I
added the host like
ldap.domain... where my ldap servers are ldap-01 and ldap-02
Thanks!
Matt
2015-03-06 14:08 GMT+01:00 Martin Kosek <mkosek at redhat.com>:
> On 03/06/2015 01:30 PM, Matt . wrote:
>>
>> Hi,
>>
>> I'm figuring out how to regenerate the webserver certificates so I can
>> use a loadbalancer in front of my ipa servers.
>>
>> I see in the docs there is information about this, but not for the
>> webservice. Does anyone have some directions ?
>>
>> Thanks.
>>
>> Matt
>>
>
> Certificate SubjectAltName was fixed in FreeIPA 4.0, this is the upstream
> ticket:
> https://fedorahosted.org/freeipa/ticket/3977
>
> The procedure is described in upstream wiki for example:
> http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
>
> HTH,
> Martin
More information about the Freeipa-users
mailing list