Re: [Freeipa-users] Adding SAN to default self-signed cert?
On Tue, Aug 04, 2015 at 08:01:13AM -0700, Janelle wrote:
Trying to figure this out:
ipa host-add haproxy.example.com
ipa service-add HTTP/haproxy.example@example.com
ipa service-add LDAP/haproxy.example@example.com
ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com -N
'CN=haproxy.example.com,O=EXAMPLE.COM
^ this is where I am confused, because if I created a cert request for
the new service, then why am I putting the name of the haproxy in the SAN?
Unless I am completely misreading your suggestion?
You need to add haproxy.example.com as a SAN of the IPA host, or
vice-versa.
Also, the service in the SAN must be managed by the host on which
the certificate is issued (i.e. the host in the CN). You can do
this in the web UI: Services {service} Hosts Add. I do not
know of a way to do this via CLI - if someone knows a way please
shout out!
So if the IPA service is `HTTP/ipa.example.com' and load balancer
service `HTTP/haproxy.example.com' is managed by host
`ipa.example.com', you can run:
ipa-getcert request {nssdb-options} -n haproxy-cert \
-K HTTP/ipa.example.com \
-N CN=ipa.example.com \
-D haproxy.ipa.local
-K gives principal, -N gives DN and and -D gives dNSName SAN.
HTH,
Fraser
Thank you
~J
On 8/2/15 8:53 PM, Fraser Tweedale wrote:
On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote:
Hello everyone,
I was wondering if anyone knows of a way to add SAN(s) to the self-signed
certificate that are installed when you installed freeipa? Or am I stuck
having to do a re-install and use new certificates? If you try to run
haproxy as a load balancer in front of the ldap/http servers, well, as you
might guess the haproxy server name needs to be added somehow to the server
configs so it is a SAN of the existing self-signed certs. I can't think of
any way to do it, but maybe some of the pki experts here have any idea?
Thank you
~Janelle
You do not need a SAN on the root certificate, but on the service
certificates. This is supported: you first need to create a service
principal for the load balancer, then issue a new service
certificate with the haproxy SAN in the CSR (the getcert `-D' option
can be used to add a SAN to a certmonger request).
HTH,
Fraser
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding SAN to default self-signed cert?
Trying to figure this out: ipa host-add haproxy.example.com ipa service-add HTTP/haproxy.example@example.com ipa service-add LDAP/haproxy.example@example.com ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com -N 'CN=haproxy.example.com,O=EXAMPLE.COM ^ this is where I am confused, because if I created a cert request for the new service, then why am I putting the name of the haproxy in the SAN? Unless I am completely misreading your suggestion? Thank you ~J On 8/2/15 8:53 PM, Fraser Tweedale wrote: On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: Hello everyone, I was wondering if anyone knows of a way to add SAN(s) to the self-signed certificate that are installed when you installed freeipa? Or am I stuck having to do a re-install and use new certificates? If you try to run haproxy as a load balancer in front of the ldap/http servers, well, as you might guess the haproxy server name needs to be added somehow to the server configs so it is a SAN of the existing self-signed certs. I can't think of any way to do it, but maybe some of the pki experts here have any idea? Thank you ~Janelle You do not need a SAN on the root certificate, but on the service certificates. This is supported: you first need to create a service principal for the load balancer, then issue a new service certificate with the haproxy SAN in the CSR (the getcert `-D' option can be used to add a SAN to a certmonger request). HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding SAN to default self-signed cert?
On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: Hello everyone, I was wondering if anyone knows of a way to add SAN(s) to the self-signed certificate that are installed when you installed freeipa? Or am I stuck having to do a re-install and use new certificates? If you try to run haproxy as a load balancer in front of the ldap/http servers, well, as you might guess the haproxy server name needs to be added somehow to the server configs so it is a SAN of the existing self-signed certs. I can't think of any way to do it, but maybe some of the pki experts here have any idea? Thank you ~Janelle You do not need a SAN on the root certificate, but on the service certificates. This is supported: you first need to create a service principal for the load balancer, then issue a new service certificate with the haproxy SAN in the CSR (the getcert `-D' option can be used to add a SAN to a certmonger request). HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Adding SAN to default self-signed cert?
Hello everyone, I was wondering if anyone knows of a way to add SAN(s) to the self-signed certificate that are installed when you installed freeipa? Or am I stuck having to do a re-install and use new certificates? If you try to run haproxy as a load balancer in front of the ldap/http servers, well, as you might guess the haproxy server name needs to be added somehow to the server configs so it is a SAN of the existing self-signed certs. I can't think of any way to do it, but maybe some of the pki experts here have any idea? Thank you ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
