On to, 01 marras 2018, Henrik Stigendal via FreeIPA-users wrote:
On 1 Nov 2018, at 00:51, Fraser Tweedale <ftwee...@redhat.com> wrote:
Note that you'll have a hard time getting a certificate signed by a
public CA with the approriate Extended Key Usage and Subject
Alternative Name values for a KDC certificate. If you are getting
certificates from some other internal CA controlled by your
organisation, no worries. Otherwise, you'll have do make do without
Kerberos PKINIT support.
Thanks, you mean the UPN: kbtgt/domain....@domainn.net part?
We have an intetrnal CA, i guess i’ll try to generate a CSR with
certutil and submit it. It will be quite a few UPN/SAN if I want one
certificate for all servers for LDAP/HTTP and PKINI respectability.
Maybe have two per servers and a common name for a load balancer in
each certificate, this is really not my area of expertise, it was so
much easier with the provided CA in IPA :)
If you have an internal CA, it would be much easier to get that CA to
sign IPA CA as a sub-CA. Then clients will trust IPA CA-issued
certificates if they trust internal CA already.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
