There’s no direct overlap between DNS and the certificates. Clients of certificates use DNS, but the certificate system is entirely unrelated.
DNS is kindof an add-on/bolt-on to FreeIPA, it’s not intrinsically tied to the Host definitions in FreeIPA other than a checkbox which allows you to create DNS entries. > On Aug 12, 2025, at 9:15 AM, Harry G Coin via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hi Freeipa Team > > Am I correct that only if freeipa's internal DNS is active and current that > freeipa can issue certificates if IP addresses are in the SAN part of the > cert? Even if DNSSec supported resolvers with accurate info are on the same > RFC1918 subnet as freeipa and nslookup / dig report proper answers? > > I hit a wall trying to re-issue a certificate. We had freeipa's DNS running > a few years ago, when the certs were first issued. then migrated to another > resolver with better HA dnssec support. > > Would freeipa be able to issue IPs in certificates if I enabled freeipa's dns > system but pointed it off-host for all resolutions? Or is it required the > DNS records be in local LDAP 'no matter what'. > > Or perhaps a 'force because I actually do know what I'm doing' command to > issue such certificates with IPs in the SAN? > > I feel like I'm missing something obvious here, so please help me out. > > Thanks > > Harry > > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
