<div dir="ltr">Hello, I would like to better understand why IPA requires SAN (subject alternative name) entries to have a backing host record. In order to sign a certificate with a SAN that corresponded to a user friendly CNAME I had to add a host record (ipa host) for that DNS name (use force option to create without an A/AAAA record) as well as a service principle. I'm sure I'm not alone when I say I don't like doing that because it means that a "Host" in FreeIPA is not a computer, it's a host record that may or may not be the only record that corresponds to a computer. It gets confusing. I assume things are this way to ensure integrity at some level. But I can't picture it. What is the potential danger of simply bypassing the host/principal checks and just signing the certificate with whatever SAN field we like? If this actually is a necessity and is not likely to change, I think it would be beneficial to administrators to be able to manage "Hosts" that correspond to CNAMEs (call them "Alias Hosts"? ) separately from Hosts that are actually enrolled computers. They could be managed in a similar fashion to SUDO rules, like maybe: Alias Hosts = a single name Alias Host Groups = groups of names Alias Host Maps = associate Alias Host/Group with a Hosts or Host Groups I'm picturing Alias Hosts and Alias groups as a seperate tab under Identity (and some corresponding "ipa aliashost-*" CLI) and Alias Host Maps tab under policy. </div>