[Freeipa-users] certificate add subject alt Name
piolet.y at gmail.com
Thu Sep 10 13:59:51 UTC 2015
I'm not sure I understood all of your problem, but here are some
information that may help:
- First, you don't change a certificate, but you can revoke it a make a new
- If you need to add a SubjectAltName to a certificate, you may have
realized that the -D parameter makes the request to get rejected by FreeIPA
when you try this:
ipa-getcert request -d $NSSPATH -n $CERTNAME -p $PWDFILE -N
"CN=$FQDN,O=$DOMAIN" -D "$CNAME" -K $PRINCIPAL
You have to force FreeIPA to recognise the CNAME first.
$ ipa host-add cname.domain --force
$ ipa service-add service/fqdn
$ ipa service-add service/cname.domain --force
$ ipa service-add-host service/cname.domain --host fqdn
Then the ipa-getcert request will work.
I hope it helps (you or anyone else needing a subjectaltname in a
piolet.y at gmail.com
2015-09-09 18:12 GMT+02:00 Petr Spacek <pspacek at redhat.com>:
> On 5.9.2015 12:48, Günther J. Niederwimmer wrote:
> > Hello,
> > System CentOS 7.
> > is it possible to change a certificate to add a subject alt name?
> > My "Problem" is, I have a Mail Server with name smtp.example.com and the
> > correct service certificates smtp/smtp.example.com & imap/example.com
> now I
> > make in my DNS Server (is a external system) a new Record "imap IN CNAME
> > but this is now missing in the certificate?
> > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I
> > have a host/imap.example.com.
> I'm sorry but I do not see how this is related to DNS. It might not be
> to IPA at all.
> IPA only issues the cert. If the cert contains both subjectAltNames then
> problem is likely in your DNS configuration or in configuration on the
> application server side (where you installed the cert).
> Unfortunately I'm not able to tell you more without more details - what
> application you use, what versions, how did you it configured, etc.
> Petr^2 Spacek
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeipa-users