[Freeipa-users] IP SAN in certificates
Fraser Tweedale
ftweedal at redhat.com
Sun Oct 9 23:59:26 UTC 2016
On Fri, Oct 07, 2016 at 09:30:35AM -0400, Rob Crittenden wrote:
> Alessandro De Maria wrote:
> > Hello,
> >
> > I am running the following command to create a certificate for etcd
> >
> > ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt",
> > "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zzzzzz", "-D",
> > "dock07.prod.zzzz", "-A", "10.0.1.67", "-K", "etcd/dock07.prod.zzzz"
> >
> > ca-error: Server at https://id1.prod.zzzzzz/ipa/xml denied our
> > request, giving up: 2100 (RPC failed at server. Insufficient
> > access: Subject alt name type IP Address is forbidden).
> >
> >
> >
> > I believe FreeIPA does not currently support IPs as the SAN of a
> > certificate.
> >
> > Is this still the case? is there a workaroud?
>
> Still the case (and not likely to change AFAIK) and the only workaround is
> in code.
>
There have occasionally been discussions about this. It might be
possible in the future, if we implement an extensible cert request
authorisation mechanism. Won't happen anytime soon, though.
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list