On 09/15/2015 12:35 PM, Brian J. Murrell wrote: > On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote: >> Due to the bug in mod_nss that prevents SNI from functioning (i.e. >> limits a port to a single certificate) I need to add SANs >> (SubjectAltName) to the certificate that freeipa created for the >> webserver (Server-Cert) so that I can add more virtual hosts to the >> same Apache instance (yes, I know this is not advised but budgetary >> constraints are at play here). >> >> How do I go about that? Do I want to resubmit the certificate >> request >> with some -D alt.name1 -D alt.name2, etc. parameters as such: >> >> # ipa-getcert resubmit -i <Request ID> -D alt.name1 -D alt.name2 >> >> Is that the correct operation? If so, is there anything more I need >> to >> do after that? > > Nobody knows? I would have thought that this would be one of the > easier routines in IPA certificate handling, no?
BTW, there was related thread on freeipa-users in the past, with some links to related information: https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html I assume the only change since then is that FreeIPA now supports proper SAN extension. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project