It seems that Firefox has now started warning about certificates that don't include a subject alternative name. (Honestly, I had no idea that it wasn't already doing so; Chrome has been doing this for years.)
My EL7 FreeIPA server still uses a "sans SAN" certificate for its HTTPS interface, so I would like to regenerate it. 1. Is it possible to use ipa-getcert to request an early renewal, or do I have to delete/recreate it? 2. This is a fully updated CentOS 7 system, running the included version of FreeIPA (ipa-server-4.6.8-5.el7.centos.10.x86_64). Will it automatically include a SAN extension when it renews the server certificate (or issues a new one), or do I need to modify a certificate profile? 3. Related to the above, which profile should I use if I need to issue a completely new certificate - caIPAserviceCert? 4. Are any other steps necessary? I.e., if I have to delete and re- issue the certificate, do I need to update any other configuration files or directory records to reference the new certificate? Thanks! -- ======================================================================== Google Where SkyNet meets Idiocracy ======================================================================== _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure