[Freeipa-users] certificate add subject alt Name

Youenn PIOLET piolet.y at gmail.com
Thu Sep 10 13:59:51 UTC 2015 

Hi,

I'm not sure I understood all of your problem, but here are some
information that may help:
- First, you don't change a certificate, but you can revoke it a make a new
one
- If you need to add a SubjectAltName to a certificate, you may have
realized that the -D parameter makes the request to get rejected by FreeIPA
when you try this:

ipa-getcert request -d $NSSPATH -n $CERTNAME -p $PWDFILE -N
"CN=$FQDN,O=$DOMAIN" -D "$CNAME" -K $PRINCIPAL

You have to force FreeIPA to recognise the CNAME first.

$ ipa host-add cname.domain --force
$ ipa service-add service/fqdn
$ ipa service-add service/cname.domain --force
$ ipa service-add-host service/cname.domain --host fqdn

Then the ipa-getcert request will work.

I hope it helps (you or anyone else needing a subjectaltname in a
certificate).
Cheers,

--
Youenn Piolet
piolet.y at gmail.com


2015-09-09 18:12 GMT+02:00 Petr Spacek <pspacek at redhat.com>:

> On 5.9.2015 12:48, Günther J. Niederwimmer wrote:
> > Hello,
> >
> > System CentOS 7.
> >
> > is it possible to change a certificate to add a subject alt name?
> >
> > My "Problem" is, I have a Mail Server with name smtp.example.com and the
> > correct service certificates smtp/smtp.example.com & imap/example.com
> now I
> > make in my DNS Server (is a external system) a new Record "imap IN CNAME
> smtp"
> > but this is now missing in the certificate?
> >
> > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I
> don’t
> > have a host/imap.example.com.
>
> I'm sorry but I do not see how this is related to DNS. It might not be
> related
> to IPA at all.
>
> IPA only issues the cert. If the cert contains both subjectAltNames then
> the
> problem is likely in your DNS configuration or in configuration on the
> application server side (where you installed the cert).
>
> Unfortunately I'm not able to tell you more without more details - what
> application you use, what versions, how did you it configured, etc.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150910/e3b6cc74/attachment.htm>

More information about the Freeipa-users mailing list