[Freeipa-users] getcert, multiple alternative names (SANs), and wildcard certificates

[Wim Lewis]

With a bit of tweaking, I was able to generate a usable certificate by creating a second host entry, 'wildcard.blah.example.com', managed by blah.example.com, and then editing the leftmost label from 'wildcard' to '*' in all of the host's LDAP entry's properties. 


On Apr 3, 2017, at 6:41 PM, Fraser Tweedale <ftweedal at redhat.com> wrote:
> The only way is to create a profile that hard-codes the desired SAN
> data, then use that profile.

Out of curiosity, if my LDAP approach didn't work, how would I do that? I assume it involves `ipa certprofile-import`, but is there any documentation on the format it expects? The examples I've found have no mention of SANs at all, so it's not clear how I would hard code the desired SAN.

> Is your instance publicly hosted?  Perhaps the sandstorm.io
> developers could support ACME/Let's Encrypt so that certs can be
> automatically acquired for each domain...

This would be possible, I assume, but it would couple the sandstorm instance rather tightly to its CA --- requiring the CA to issue a certificate for every new user session. Let's Encrypt does rate limiting which would prevent this, for example.

An alternative would be to run a local sub-CA for uses like sandstorm, but this would require a CA to support issuing name-constrained sub-CAs (and if wildcard certs are considered too sloppily implemented in real-world clients to be trustworthy, then name constraints definitely are!). 

> But see also §7.2 which states that wildcard certs are deprecated :)
> https://tools.ietf.org/html/rfc6125#section-7.2

Only mostly deprecated; it admits of legitimate uses for them. :) Wildcards are not the best feature of the web PKI, I agree, and I wouldn't want to use them if I could think of a viable alternative.

(And consider that putting domains in the CN has been deprecated since HTTPS/TLS was even a standard, back in 2000 --- yet everyone still does that.)