[Freeipa-users] add SubjectAltName (SAN) to IPA certificate
Brian J. Murrell
brian at interlinx.bc.ca
Tue Sep 15 11:22:19 UTC 2015
On Tue, 2015-09-15 at 13:01 +0200, Martin Kosek wrote:
> BTW, there was related thread on freeipa-users in the past, with some
> links to
> related information:
>
> https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html
So this writeup seems to ignore the fact that Apache and the
certificate store have already been established with mod_nss by the
time you are finished a FreeIPA installation and does nothing about
that in consideration of the fact that mod_nss and mod_ssl are mutually
exclusive (AFAIU) for a single port.
But yeah. I did consider ditching mod_nss and replacing it with
mod_ssl but that seems like quite an extensive disruption to the
default FreeIPA Apache configuration. In my experience, the further
you get out of the box with integration projects like FreeIPA, the more
fragile things are for future upgrading.
> I assume the only change since then is that FreeIPA now supports
> proper SAN
> extension.
Indeed, which seems to provide for a cleaner hack. It leaves the
Apache configuration for FreeIPA intact and makes the future reversion,
when mod_nss properly supports SNI easier.
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150915/ccaf88d3/attachment.sig>
More information about the Freeipa-users
mailing list