It seems that Firefox has now started warning about certificates that
don't include a subject alternative name. (Honestly, I had no idea that
it wasn't already doing so; Chrome has been doing this for years.)
My EL7 FreeIPA server still uses a "sans SAN" certificate for its HTTPS
interface, so I would like to regenerate it.
1. Is it possible to use ipa-getcert to request an early renewal, or do
I have to delete/recreate it?
2. This is a fully updated CentOS 7 system, running the included
version of FreeIPA (ipa-server-4.6.8-5.el7.centos.10.x86_64). Will
it automatically include a SAN extension when it renews the server
certificate (or issues a new one), or do I need to modify a
certificate profile?
3. Related to the above, which profile should I use if I need to
issue a completely new certificate - caIPAserviceCert?
4. Are any other steps necessary? I.e., if I have to delete and re-
issue the certificate, do I need to update any other configuration
files or directory records to reference the new certificate?
Thanks!
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
