-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Tuesday, January 27, 2015 2:09 PM
To: Craig White
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Sign certificates with subjectAltName

On Tue, 27 Jan 2015, Craig White wrote:
>$ rpm -q ipa-server
>I tend to revert to openssl as I have some familiarity with it.
>ipa service-add HTTP/p1nxut01.stt.local
>excellent except we wanted human friendly certificates/SSL
>So I created a one-off openssl.cnf file with subjectAltName configured and 
>generated csr and key files...
>grep subjectAltName openssl.cnf
>openssl req -new -config /etc/ssl/openssl.cnf -out p1nxut01.csr -keyout 
>and then passed them on to IPA for signing...
>ipa cert-request p1nxut01.csr --principal 
>and it was reported serial #44
>so I retrieved the certificate...
>ipa cert-show 44 --out=/etc/ssl/p1nxut01.stt.local.crt
>openssl x509 -in p1nxut01.stt.local.crt -noout -text
>but no subjectAltNames are listed  :-(
>can someone hit me with a cluestick?
Yes, this is not supported in 3.0.0.
We implemented support for it in 4.1, see
Thanks Alexander - not the cluestick I was hoping for but obviously definitive.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to