Worked! Thanks!

I Suppose there isn't a way to get the output of getcert as JSON/object? I 
would prefer to do this with ansible =)

Also, "sudo systemctl restart httpd" post renewal (looks like the hooks aren't 
configured for the cert renewal to restart dependent services.)

----- Original Message -----
From: "Alexander Bokovoy" <>
To: "Jake" <>, "freeipa-users" 
Sent: Tuesday, May 23, 2017 2:20:06 PM
Subject: Re: [Freeipa-users] Chrome 58 - CN for IPA management console to 
include SANs

On ti, 23 touko 2017, Jake via FreeIPA-users wrote:
>Hey All,
>I think this is fixed in 4.4.2 but since we use centos upstream we are
>limited to 4.4.0, is there a way to manually re-issue the SSL
>Certificates used for apache on the IPA masters for the web interface
>to include the DNS Names as Subject Alternative Names?


  # getcert list -d /etc/httpd/alias -n "Server-Cert"
   ... output ...

  # getcert resubmit -i <ID> -D `hostname -f`

where <ID> is the request ID from the output of 'getcert list'.

Perform this on all IPA masters.

See man page for getcert-resubmit for details on what SAN extensions
could be added.

/ Alexander Bokovoy
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to