Trying to figure this out:

ipa host-add haproxy.example.com
ipa service-add HTTP/haproxy.example....@example.com
ipa service-add LDAP/haproxy.example....@example.com

ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com -N 'CN=haproxy.example.com,O=EXAMPLE.COM"

^^^^^ this is where I am confused, because if I created a cert request for the new service, then why am I putting the name of the haproxy in the SAN? Unless I am completely misreading your suggestion?

Thank you
~J

On 8/2/15 8:53 PM, Fraser Tweedale wrote:
On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote:
Hello everyone,

I was wondering if anyone knows of a way to add SAN(s) to the self-signed
certificate that are installed when you installed freeipa? Or am I stuck
having to do a re-install and use new certificates?   If you try to run
haproxy as a load balancer in front of the "ldap/http" servers, well, as you
might guess the haproxy server name needs to be added somehow to the server
configs so it is a SAN of the existing self-signed certs.  I can't think of
any way to do it, but maybe some of the pki experts here have any idea?

Thank you
~Janelle

You do not need a SAN on the root certificate, but on the service
certificates.  This is supported: you first need to create a service
principal for the load balancer, then issue a new service
certificate with the haproxy SAN in the CSR (the getcert `-D' option
can be used to add a SAN to a certmonger request).

HTH,
Fraser

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to