I did set up a profile using Fraser's directions, and I see something in there about:
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl policyset.serverCertSet.12.constraint.name=No Constraint policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 But I'm not sure if that's something I have to trigger somehow, or if it just should happen. -- Bret Wortman [email protected] On Tue, Jun 7, 2022, at 11:44 AM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: >> When I try adding it as an alt name: >> >> # certutil -R -d . -a -g 2048 -s "cn=elastic.our.net,o=our.net" \ >> -8 >> elastic.our.net,\*.elastic.our.net,zsece01.our.net,zsece02.our.net,zsece03.our.net >> \ >>> elastic.our.net.csr >> # ipa cert-request elastic.our.net.csr --principal host/elastic.our.net >> --profile wildcard >> ipa: ERROR: The service principal for subject alt name *.elastic.spx.net in >> certificate request does not exist >> >> I'm not sure how to add a wildcard host principal... >> > > I think that like using a profile to reset the CN in the subject you'd > need to add the wildcard as a SAN in a profile. I don't know whether > that is possible or not. > > IPA won't issue certificates for things it doesn't know about. > > rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
