On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote:
> Hello everyone,
> 
> I was wondering if anyone knows of a way to add SAN(s) to the self-signed
> certificate that are installed when you installed freeipa? Or am I stuck
> having to do a re-install and use new certificates?   If you try to run
> haproxy as a load balancer in front of the "ldap/http" servers, well, as you
> might guess the haproxy server name needs to be added somehow to the server
> configs so it is a SAN of the existing self-signed certs.  I can't think of
> any way to do it, but maybe some of the pki experts here have any idea?
> 
> Thank you
> ~Janelle
> 
You do not need a SAN on the root certificate, but on the service
certificates.  This is supported: you first need to create a service
principal for the load balancer, then issue a new service
certificate with the haproxy SAN in the CSR (the getcert `-D' option
can be used to add a SAN to a certmonger request).

HTH,
Fraser

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to