That did it, thanks Fraser. On Fri, Oct 20, 2017 at 5:48 PM, Fraser Tweedale <[email protected]> wrote:
> On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users > wrote: > > Hello > > > > I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be > > able to add SAN's for a different dns domain than exists in the IPA > realm. > > The dns for 'otherdomain.com' is handled by active directory which my > IPA > > server has a cross-forest trust with. > > > > ie: > > host: client1.ipadomain.com > > certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com, > > servicename.otherdomain.com > > > > When I try to submit this CSR with 'ipa-getcert request' the IPA server > > denies with: "The service principal for subject alt name > > servicename.otherdomain.com in certificate request does not exist" > > > > It seems that the default CAACL enforces a profile named > > 'caIPAserviceCert', but I'm having some trouble determining what can be > > modified (or cloned and changed in a new profile) that would allow the > CA > > to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the > > SAN. > > > > This is the only section in the profile that contains SAN: > > policyset.serverCertSet.12.constraint.class_id=noConstraintImpl > > policyset.serverCertSet.12.constraint.name=No Constraint > > policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl > > policyset.serverCertSet.12.default.name=Copy Common Name to Subject > > Alternative Name > > > > Thanks, > > Steve > > > You can add a principal alias to the service principal: > > % ipa service-add-principal HTTP/client1.ipadomain.com \ > HTTP/servicename.otherdomain.com > > Then the CSR validation routine will see the > `servicename.otherdomain.com' SAN dnsName as a valid SAN for the > subject principal. > > (This feature was added in FreeIPA 4.5) > > Cheers, > Fraser >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
