Hi Martin,

Thanks, I saw that ticket but didn't got to the wiki part yet.

What I wonder in Step 6:

6. Request a signed certificate for the service and see the entry in
Certmonger. In case you created a NSS database with a PIN (see the
step 3.), use -P $PIN or -p /etc/httpd/nssdb/pwdfile.txt option to
tell certmonger about it: # ipa-getcert request -d /etc/httpd/nssdb -n
Server-Cert -K HTTP/`hostname` -N CN=`hostname`,O=EXAMPLE.COM -g 2048
-p /etc/httpd/nssdb/pwdfile.txt

SAN names: in FreeIPA 4.0 and later, you can add optional SAN DNS
names to your request with -D. Note that you need to first create
respective host or service objects and configure that given host can
manage them with service-add-host or host-add-managedby command. These
objects are being verified when FreeIPA cert-req command authorizes
the SAN names.

Can I just add the alt names in that command, how should I proceed ? I
added the host like

ldap.domain... where my ldap servers are ldap-01 and ldap-02



2015-03-06 14:08 GMT+01:00 Martin Kosek <mko...@redhat.com>:
> On 03/06/2015 01:30 PM, Matt . wrote:
>> Hi,
>> I'm figuring out how to regenerate the webserver certificates so I can
>> use a loadbalancer in front of my ipa servers.
>> I see in the docs there is information about this, but not for the
>> webservice. Does anyone have some directions ?
>> Thanks.
>> Matt
> Certificate SubjectAltName was fixed in FreeIPA 4.0, this is the upstream
> ticket:
> https://fedorahosted.org/freeipa/ticket/3977
> The procedure is described in upstream wiki for example:
> http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
> HTH,
> Martin

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to