> On 1 Nov 2018, at 10:39, Alexander Bokovoy <aboko...@redhat.com> wrote: > >> Thanks, you mean the UPN: kbtgt/domain....@domainn.net part? >> >> We have an intetrnal CA, i guess i’ll try to generate a CSR with >> certutil and submit it. It will be quite a few UPN/SAN if I want one >> certificate for all servers for LDAP/HTTP and PKINI respectability. >> Maybe have two per servers and a common name for a load balancer in >> each certificate, this is really not my area of expertise, it was so >> much easier with the provided CA in IPA :) > If you have an internal CA, it would be much easier to get that CA to > sign IPA CA as a sub-CA. Then clients will trust IPA CA-issued > certificates if they trust internal CA already.
I would love to but they are not very keen on giving me a sub-CA and if they do they want med to throw always the keys into HSM:s which I don’t have. This does not seem like an common configuration, maybe I will create a temporary CA that I control to find out exactly how the requests should look, otherwise there will be trail and error with real certificates and wait times for every certificate. Thanks Henrik _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org