[Freeipa-users] add SubjectAltName (SAN) to IPA certificate
Martin Kosek
mkosek at redhat.com
Tue Sep 15 11:01:02 UTC 2015
On 09/15/2015 12:35 PM, Brian J. Murrell wrote:
> On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote:
>> Due to the bug in mod_nss that prevents SNI from functioning (i.e.
>> limits a port to a single certificate) I need to add SANs
>> (SubjectAltName) to the certificate that freeipa created for the
>> webserver (Server-Cert) so that I can add more virtual hosts to the
>> same Apache instance (yes, I know this is not advised but budgetary
>> constraints are at play here).
>>
>> How do I go about that? Do I want to resubmit the certificate
>> request
>> with some -D alt.name1 -D alt.name2, etc. parameters as such:
>>
>> # ipa-getcert resubmit -i <Request ID> -D alt.name1 -D alt.name2
>>
>> Is that the correct operation? If so, is there anything more I need
>> to
>> do after that?
>
> Nobody knows? I would have thought that this would be one of the
> easier routines in IPA certificate handling, no?
BTW, there was related thread on freeipa-users in the past, with some links to
related information:
https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html
I assume the only change since then is that FreeIPA now supports proper SAN
extension.
More information about the Freeipa-users
mailing list