Hi Harry, Here are the rules for validation of iPAddressName values in the SAN extension:
1. Each iPAddressName value must be the result of resolving at least one of the dNSName values. 2. Each iPAddressName value must have a PTR record that returns a name that resolves back to that IP address. 3. Only the IPA DNS records are consulted, because only data in the IPA database is trusted for CSR validation. > Would freeipa be able to issue IPs in certificates if I enabled freeipa's > dns system but pointed it off-host for all resolutions? Or is it required > the DNS records be in local LDAP 'no matter what'. Yes, that is required. There is no "force" option. Trusting external DNSSec is something that could be considered, but we are unlikely to implement this unless there is a compelling driver. Feel free to file an RFE, especially if you or your organisation may be able to help deliver it. (These are not empty words - the current SAN IP support was also a community contribution). Thanks, Fraser On Tue, Aug 12, 2025 at 11:15:11AM -0500, Harry G Coin via FreeIPA-users wrote: > Hi Freeipa Team > > Am I correct that only if freeipa's internal DNS is active and current that > freeipa can issue certificates if IP addresses are in the SAN part of the > cert? Even if DNSSec supported resolvers with accurate info are on the > same RFC1918 subnet as freeipa and nslookup / dig report proper answers? > > I hit a wall trying to re-issue a certificate. We had freeipa's DNS running > a few years ago, when the certs were first issued. then migrated to another > resolver with better HA dnssec support. > > Would freeipa be able to issue IPs in certificates if I enabled freeipa's > dns system but pointed it off-host for all resolutions? Or is it required > the DNS records be in local LDAP 'no matter what'. > > Or perhaps a 'force because I actually do know what I'm doing' command to > issue such certificates with IPs in the SAN? > > I feel like I'm missing something obvious here, so please help me out. > > Thanks > > Harry > > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
