On Tue, 27 Jan 2015, Craig White wrote:
$ rpm -q ipa-server
ipa-server-3.0.0-42.el6.x86_64
I tend to revert to openssl as I have some familiarity with it.
ipa service-add HTTP/p1nxut01.stt.local
excellent except we wanted human friendly certificates/SSL
So I created a one-off openssl.cnf file with subjectAltName configured and
generated csr and key files...
grep subjectAltName openssl.cnf
subjectAltName="nexus.stt.local"
openssl req -new -config /etc/ssl/openssl.cnf -out p1nxut01.csr -keyout
p1nxut01.key
and then passed them on to IPA for signing...
ipa cert-request p1nxut01.csr --principal
host/p1nxut01.stt.local@STT.LOCAL<mailto:host/p1nxut01.stt.local@STT.LOCAL>
and it was reported serial #44
so I retrieved the certificate...
ipa cert-show 44 --out=/etc/ssl/p1nxut01.stt.local.crt
openssl x509 -in p1nxut01.stt.local.crt -noout -text
but no subjectAltNames are listed :-(
can someone hit me with a cluestick?
Yes, this is not supported in 3.0.0.
We implemented support for it in 4.1, see
https://bugzilla.redhat.com/show_bug.cgi?id=1112605
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
