Hey folks, Really quick question. If a host, say web01.example.com is online, in IPA et all but serving supremecustomer.com and I would need a (ipa-signed, which suffices) cert, would this be the right way?
Assumptions: - All commands executed on web01.example.com
- /etc/ssl/ipa & perms are OK.
cert="supremecustomer.com"
ipa host-add ${cert} --desc="Dummy Host / ${cert}"
--location="$(hostname -f)"
ipa host-add-managedby ${cert} --hosts="$(hostname -f)"
ipa service-add HTTP/${cert}
ipa service-add-host HTTP/${cert} --hosts="$(hostname -f)"
ipa-getcert request -r -f /etc/ssl/ipa/${cert}.crt -k
/etc/ssl/ipa/${cert}.key -N CN=${cert} -D ${cert} -K HTTP/${cert}
chown root:nginx /etc/ssl/ipa/${cert}.{key,crt}
chmod 0640 /etc/ssl/ipa/${cert}.{key,crt}
Is this still the way to go? Is there a way around "One dummy host per
SNI Certificate" in any way?
Cheers,
Chris.
--
Christian Reiss - em...@christian-reiss.de /"\ ASCII Ribbon
supp...@alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
