Ian Pilcher via FreeIPA-users wrote: > I am trying to get OpenShift to use my FreeIPA installation > (ipa-server-4.6.5-11.el7.centos.4.x86_64) as an identity provider. > OpenShift is refusing to talk to the LDAP server, because its > certificate doesn't contain a subjectAltName. > > So I need to re-request/re-issue the certificate with the SAN. Will it > be sufficient to modify the caIPAserviceCert profile to copy the host- > name from the CN to the SAN (as discussed in [1]) and then use > ipa-getcert resubmit? > > Will this break anything? (I only have a single IPA server/CA.) > > Thanks! > > [1] > https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation.html > >
You don't need to modify any configuration to get a SAN, just resubmit the certmonger request with -D <SAN> and a new cert will be issued. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
