On to, 30 marras 2017, dbischof--- via FreeIPA-users wrote:
Dear list,

one of my IPA masters (master.example.com, IPA 4.5) runs a Dokuwiki and a DAViCal instance besides IPA. DNS is external (not managed by IPA) and I asked the DNS admin to create CNAMEs wiki.example.com and cal.example.com that point to master.example.com).

That works, but my users get browser warnings "SSL_ERROR_BAD_CERT_DOMAIN" upon first connect via the CNAMEs and have to allow exceptions. Unbeautiful.

Therefore, I force-created dummy hosts in IPA and let them be managed by master.example.com:

$ ipa host-add wiki.example.com --force
$ ipa service-add HTTP/wiki.example.com --force
$ ipa service-add-host HTTP/wiki.example.com --host master.example.com

If i would revoke the certificate for HTTP/master.example.com now (didn't dare yet), will a new certificate be created that contains wiki.example.com as X509v3 Subject Alternative Name? It probably isn't that easy, right?
Yes, it is not that easy. You do not need to revoke anything, though.

Use getcert to re-submit existing certificate request that tracks your
http certificate in /etc/httpd/alias:

1. Obtain request ID
# getcert list -d /etc/httpd/alias

2. Re-submit the request with additional SANs and retaining original SAN
  and Kerberos principal:
# getcert resubmit -i "REQUEST-ID" -D master.example.com -D wiki.example.com -K 
HTTP/master.example.com

3. Watch that the request went to the MONITORING state
# getcert list -i "REQUEST-ID"

You'll see that it has two 'dns' properties now.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to