On ke, 31 loka 2018, Henrik Johansson via FreeIPA-users wrote:
Hello,
I am looking at using FreeIPA without CA, using external signed
certificates, reading the documentations it looks possible using
—dirsrv-certfile, —http-cert-file and —point-certfile. Should I just
create a CSR for the hostname by by hand and get it signed? Also is
there any good reason for having different certs for http, ldap and
pkinit? Can I just use one certificate for all services and for all
servers and replicas using Subject Alternative Names?
For the latter part, it is better to separate PKINIT cert out. It
requires very specific Kerberos principal name in the certificate.
For HTTP and LDAP you can reuse the same certificate.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
