[Freeipa-users] IP SAN in certificates
Rob Crittenden
rcritten at redhat.com
Fri Oct 7 13:30:35 UTC 2016
Alessandro De Maria wrote:
> Hello,
>
> I am running the following command to create a certificate for etcd
>
> ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt",
> "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D",
> "dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz"
>
> ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our
> request, giving up: 2100 (RPC failed at server. Insufficient
> access: Subject alt name type IP Address is forbidden).
>
>
>
> I believe FreeIPA does not currently support IPs as the SAN of a
> certificate.
>
> Is this still the case? is there a workaroud?
Still the case (and not likely to change AFAIK) and the only workaround
is in code.
rob
More information about the Freeipa-users
mailing list