On Thu, 30 Nov 2017, Alexander Bokovoy via FreeIPA-users wrote:
On to, 30 marras 2017, dbischof--- via FreeIPA-users wrote:
one of my IPA masters (master.example.com, IPA 4.5) runs a Dokuwiki and a
DAViCal instance besides IPA. DNS is external (not managed by IPA) and I
asked the DNS admin to create CNAMEs wiki.example.com and cal.example.com
that point to master.example.com).
That works, but my users get browser warnings "SSL_ERROR_BAD_CERT_DOMAIN"
upon first connect via the CNAMEs and have to allow exceptions.
Therefore, I force-created dummy hosts in IPA and let them be managed by
$ ipa host-add wiki.example.com --force
$ ipa service-add HTTP/wiki.example.com --force
$ ipa service-add-host HTTP/wiki.example.com --host master.example.com
If i would revoke the certificate for HTTP/master.example.com now (didn't
dare yet), will a new certificate be created that contains wiki.example.com
as X509v3 Subject Alternative Name? It probably isn't that easy, right?
Yes, it is not that easy. You do not need to revoke anything, though.
Use getcert to re-submit existing certificate request that tracks your
http certificate in /etc/httpd/alias:
1. Obtain request ID
# getcert list -d /etc/httpd/alias
2. Re-submit the request with additional SANs and retaining original SAN and
# getcert resubmit -i "REQUEST-ID" -D master.example.com -D wiki.example.com -K
3. Watch that the request went to the MONITORING state
# getcert list -i "REQUEST-ID"
You'll see that it has two 'dns' properties now.
works like a charm, even with multiple "-D"s, big thank you.
Mit freundlichen Gruessen/With best regards,
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org