That did it, thanks Fraser.

On Fri, Oct 20, 2017 at 5:48 PM, Fraser Tweedale <ftwee...@redhat.com>
wrote:

> On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users
> wrote:
> > Hello
> >
> > I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be
> > able to add SAN's for a different dns domain than exists in the IPA
> realm.
> > The dns for 'otherdomain.com' is handled by active directory which my
> IPA
> > server has a cross-forest trust with.
> >
> > ie:
> > host: client1.ipadomain.com
> > certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com,
> > servicename.otherdomain.com
> >
> > When I try to submit this CSR with 'ipa-getcert request' the IPA server
> > denies with: "The service principal for subject alt name
> > servicename.otherdomain.com in certificate request does not exist"
> >
> > It seems that the default CAACL enforces a profile named
> > 'caIPAserviceCert', but I'm having some trouble determining what can be
> > modified (or cloned and changed in a new profile) that would allow  the
> CA
> > to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the
> > SAN.
> >
> > This is the only section in the profile that contains SAN:
> > policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
> > policyset.serverCertSet.12.constraint.name=No Constraint
> > policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
> > policyset.serverCertSet.12.default.name=Copy Common Name to Subject
> > Alternative Name
> >
> > Thanks,
> > Steve
> >
> You can add a principal alias to the service principal:
>
>   % ipa service-add-principal HTTP/client1.ipadomain.com \
>       HTTP/servicename.otherdomain.com
>
> Then the CSR validation routine will see the
> `servicename.otherdomain.com' SAN dnsName as a valid SAN for the
> subject principal.
>
> (This feature was added in FreeIPA 4.5)
>
> Cheers,
> Fraser
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to