Re: [Freeipa-users] Use of SAN's with automatic certificates in FreeIPA 4

Fri, 12 Sep 2014 12:22:53 -0700 

On 09/12/2014 02:43 PM, Michael Lasevich wrote:
That is awesome, but I am clearly missing some insight as to how this is supposed to work. Can you point me to some more specific info on how to accomplish this. 


I tried using the ipa-getcert request with multiple -D's from the 
client, but got :



** Insufficient access: You need to be a member of the serviceadmin 
role to add services



Unless I am missing something,  I should probably not add each host to 
"serviceadmins" for security reasons.



4.0 has a new permissions system this might yet to be another use case 
that we might have overlooked.

I will leave to developers to review this situation on Monday morning.




So I then I tried generating a csr via openssl with SANs on the client 
and then adding it using "ipa cert-request file.csr --prinicple 
host/${client_hostname}@DOMAIN"  from ipa server as admin (just to be 
sure) and got this error (where <ALIAS> is the first SAN):



** ipa: ERROR: The service principal for subject alt name <ALIAS> in 
certificate request does not exist



It sounds like I need to create service principal for each SAN, but I 
can't seem to figure out how to do it (only allows me to create 
service prinicpals for existing hosts)


Any help or pointers would be greatly appreciated

-M


On Fri, Sep 12, 2014 at 4:12 AM, Dmitri Pal <[email protected] 
<mailto:[email protected]>> wrote:


    On 09/11/2014 09:25 PM, Michael Lasevich wrote:

    If I remember correctly, you could not use SAN (Subject Alternate
    Names) for certificates in FreeIPA 3.0 - is this still the case
    with 4?


    https://fedorahosted.org/freeipa/ticket/3977 < 4.0 is able.



    I have hosts that automatically receive two hostnames, a long
    proper name (like "service-i-12345678") and a simpler cname based
    on an index for ease of access (like "service-1") - however since
    OS hostname is the "proper" one, certs would typically be issued
    to that name. I want my users to be able to hit it via the
    simplex "index" names. Is that currently possible (esp given that
    the cnames are actualy in a different DNS domain)?

    Thanks,

    -M






    -- 
    Thank you,

    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project





















					Reply via email to