> On 1 Nov 2018, at 00:51, Fraser Tweedale <[email protected]> wrote:
> Note that you'll have a hard time getting a certificate signed by a > public CA with the approriate Extended Key Usage and Subject > Alternative Name values for a KDC certificate. If you are getting > certificates from some other internal CA controlled by your > organisation, no worries. Otherwise, you'll have do make do without > Kerberos PKINIT support. Thanks, you mean the UPN: kbtgt/[email protected] part? We have an intetrnal CA, i guess i’ll try to generate a CSR with certutil and submit it. It will be quite a few UPN/SAN if I want one certificate for all servers for LDAP/HTTP and PKINI respectability. Maybe have two per servers and a common name for a load balancer in each certificate, this is really not my area of expertise, it was so much easier with the provided CA in IPA :) Regards Henrik _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
