With a bit of tweaking, I was able to generate a usable certificate by creating 
a second host entry, 'wildcard.blah.example.com', managed by blah.example.com, 
and then editing the leftmost label from 'wildcard' to '*' in all of the host's 
LDAP entry's properties. 

On Apr 3, 2017, at 6:41 PM, Fraser Tweedale <ftwee...@redhat.com> wrote:
> The only way is to create a profile that hard-codes the desired SAN
> data, then use that profile.

Out of curiosity, if my LDAP approach didn't work, how would I do that? I 
assume it involves `ipa certprofile-import`, but is there any documentation on 
the format it expects? The examples I've found have no mention of SANs at all, 
so it's not clear how I would hard code the desired SAN.

> Is your instance publicly hosted?  Perhaps the sandstorm.io
> developers could support ACME/Let's Encrypt so that certs can be
> automatically acquired for each domain...

This would be possible, I assume, but it would couple the sandstorm instance 
rather tightly to its CA --- requiring the CA to issue a certificate for every 
new user session. Let's Encrypt does rate limiting which would prevent this, 
for example.

An alternative would be to run a local sub-CA for uses like sandstorm, but this 
would require a CA to support issuing name-constrained sub-CAs (and if wildcard 
certs are considered too sloppily implemented in real-world clients to be 
trustworthy, then name constraints definitely are!). 

> But see also ยง7.2 which states that wildcard certs are deprecated :)
> https://tools.ietf.org/html/rfc6125#section-7.2

Only mostly deprecated; it admits of legitimate uses for them. :) Wildcards are 
not the best feature of the web PKI, I agree, and I wouldn't want to use them 
if I could think of a viable alternative.

(And consider that putting domains in the CN has been deprecated since 
HTTPS/TLS was even a standard, back in 2000 --- yet everyone still does that.)

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to