On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: > Hello everyone, > > I was wondering if anyone knows of a way to add SAN(s) to the self-signed > certificate that are installed when you installed freeipa? Or am I stuck > having to do a re-install and use new certificates? If you try to run > haproxy as a load balancer in front of the "ldap/http" servers, well, as you > might guess the haproxy server name needs to be added somehow to the server > configs so it is a SAN of the existing self-signed certs. I can't think of > any way to do it, but maybe some of the pki experts here have any idea? > > Thank you > ~Janelle > You do not need a SAN on the root certificate, but on the service certificates. This is supported: you first need to create a service principal for the load balancer, then issue a new service certificate with the haproxy SAN in the CSR (the getcert `-D' option can be used to add a SAN to a certmonger request).
HTH, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
