[Freeipa-users] Re: X509v3 Subject Alternative Name in IPA master Webserver certificate
Hi Alexander, On Thu, 30 Nov 2017, Alexander Bokovoy via FreeIPA-users wrote: On to, 30 marras 2017, dbischof--- via FreeIPA-users wrote: one of my IPA masters (master.example.com, IPA 4.5) runs a Dokuwiki and a DAViCal instance besides IPA. DNS is external (not managed by IPA) and I asked the DNS admin to create CNAMEs wiki.example.com and cal.example.com that point to master.example.com). That works, but my users get browser warnings "SSL_ERROR_BAD_CERT_DOMAIN" upon first connect via the CNAMEs and have to allow exceptions. Unbeautiful. Therefore, I force-created dummy hosts in IPA and let them be managed by master.example.com: $ ipa host-add wiki.example.com --force $ ipa service-add HTTP/wiki.example.com --force $ ipa service-add-host HTTP/wiki.example.com --host master.example.com If i would revoke the certificate for HTTP/master.example.com now (didn't dare yet), will a new certificate be created that contains wiki.example.com as X509v3 Subject Alternative Name? It probably isn't that easy, right? Yes, it is not that easy. You do not need to revoke anything, though. Use getcert to re-submit existing certificate request that tracks your http certificate in /etc/httpd/alias: 1. Obtain request ID # getcert list -d /etc/httpd/alias 2. Re-submit the request with additional SANs and retaining original SAN and Kerberos principal: # getcert resubmit -i "REQUEST-ID" -D master.example.com -D wiki.example.com -K HTTP/master.example.com 3. Watch that the request went to the MONITORING state # getcert list -i "REQUEST-ID" You'll see that it has two 'dns' properties now. works like a charm, even with multiple "-D"s, big thank you. Mit freundlichen Gruessen/With best regards, --Daniel. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: X509v3 Subject Alternative Name in IPA master Webserver certificate
On to, 30 marras 2017, dbischof--- via FreeIPA-users wrote: Dear list, one of my IPA masters (master.example.com, IPA 4.5) runs a Dokuwiki and a DAViCal instance besides IPA. DNS is external (not managed by IPA) and I asked the DNS admin to create CNAMEs wiki.example.com and cal.example.com that point to master.example.com). That works, but my users get browser warnings "SSL_ERROR_BAD_CERT_DOMAIN" upon first connect via the CNAMEs and have to allow exceptions. Unbeautiful. Therefore, I force-created dummy hosts in IPA and let them be managed by master.example.com: $ ipa host-add wiki.example.com --force $ ipa service-add HTTP/wiki.example.com --force $ ipa service-add-host HTTP/wiki.example.com --host master.example.com If i would revoke the certificate for HTTP/master.example.com now (didn't dare yet), will a new certificate be created that contains wiki.example.com as X509v3 Subject Alternative Name? It probably isn't that easy, right? Yes, it is not that easy. You do not need to revoke anything, though. Use getcert to re-submit existing certificate request that tracks your http certificate in /etc/httpd/alias: 1. Obtain request ID # getcert list -d /etc/httpd/alias 2. Re-submit the request with additional SANs and retaining original SAN and Kerberos principal: # getcert resubmit -i "REQUEST-ID" -D master.example.com -D wiki.example.com -K HTTP/master.example.com 3. Watch that the request went to the MONITORING state # getcert list -i "REQUEST-ID" You'll see that it has two 'dns' properties now. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
