-----Original Message----- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, January 27, 2015 2:09 PM To: Craig White Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Sign certificates with subjectAltName
On Tue, 27 Jan 2015, Craig White wrote: >$ rpm -q ipa-server >ipa-server-3.0.0-42.el6.x86_64 > >I tend to revert to openssl as I have some familiarity with it. > >ipa service-add HTTP/p1nxut01.stt.local > >excellent except we wanted human friendly certificates/SSL > >So I created a one-off openssl.cnf file with subjectAltName configured and >generated csr and key files... >grep subjectAltName openssl.cnf >subjectAltName="nexus.stt.local" >openssl req -new -config /etc/ssl/openssl.cnf -out p1nxut01.csr -keyout >p1nxut01.key > >and then passed them on to IPA for signing... >ipa cert-request p1nxut01.csr --principal >host/p1nxut01.stt.local@STT.LOCAL<mailto:host/p1nxut01.stt.local@STT.LOCAL> >and it was reported serial #44 > >so I retrieved the certificate... >ipa cert-show 44 --out=/etc/ssl/p1nxut01.stt.local.crt > >openssl x509 -in p1nxut01.stt.local.crt -noout -text > >but no subjectAltNames are listed :-( > >can someone hit me with a cluestick? Yes, this is not supported in 3.0.0. We implemented support for it in 4.1, see https://bugzilla.redhat.com/show_bug.cgi?id=1112605 ---- Thanks Alexander - not the cluestick I was hoping for but obviously definitive. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
