Trying to figure this out:
ipa host-add haproxy.example.com
ipa service-add HTTP/[email protected]
ipa service-add LDAP/[email protected]
ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com
-N 'CN=haproxy.example.com,O=EXAMPLE.COM"
^^^^^ this is where I am confused, because if I created a cert request
for the new service, then why am I putting the name of the haproxy in
the SAN? Unless I am completely misreading your suggestion?
Thank you
~J
On 8/2/15 8:53 PM, Fraser Tweedale wrote:
On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote:
Hello everyone,
I was wondering if anyone knows of a way to add SAN(s) to the self-signed
certificate that are installed when you installed freeipa? Or am I stuck
having to do a re-install and use new certificates? If you try to run
haproxy as a load balancer in front of the "ldap/http" servers, well, as you
might guess the haproxy server name needs to be added somehow to the server
configs so it is a SAN of the existing self-signed certs. I can't think of
any way to do it, but maybe some of the pki experts here have any idea?
Thank you
~Janelle
You do not need a SAN on the root certificate, but on the service
certificates. This is supported: you first need to create a service
principal for the load balancer, then issue a new service
certificate with the haproxy SAN in the CSR (the getcert `-D' option
can be used to add a SAN to a certmonger request).
HTH,
Fraser
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
