Re: [Freeipa-users] Adding SAN to default self-signed cert?
On Tue, Aug 04, 2015 at 08:01:13AM -0700, Janelle wrote: Trying to figure this out: ipa host-add haproxy.example.com ipa service-add HTTP/haproxy.example@example.com ipa service-add LDAP/haproxy.example@example.com ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com -N 'CN=haproxy.example.com,O=EXAMPLE.COM ^ this is where I am confused, because if I created a cert request for the new service, then why am I putting the name of the haproxy in the SAN? Unless I am completely misreading your suggestion? You need to add haproxy.example.com as a SAN of the IPA host, or vice-versa. Also, the service in the SAN must be managed by the host on which the certificate is issued (i.e. the host in the CN). You can do this in the web UI: Services {service} Hosts Add. I do not know of a way to do this via CLI - if someone knows a way please shout out! So if the IPA service is `HTTP/ipa.example.com' and load balancer service `HTTP/haproxy.example.com' is managed by host `ipa.example.com', you can run: ipa-getcert request {nssdb-options} -n haproxy-cert \ -K HTTP/ipa.example.com \ -N CN=ipa.example.com \ -D haproxy.ipa.local -K gives principal, -N gives DN and and -D gives dNSName SAN. HTH, Fraser Thank you ~J On 8/2/15 8:53 PM, Fraser Tweedale wrote: On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: Hello everyone, I was wondering if anyone knows of a way to add SAN(s) to the self-signed certificate that are installed when you installed freeipa? Or am I stuck having to do a re-install and use new certificates? If you try to run haproxy as a load balancer in front of the ldap/http servers, well, as you might guess the haproxy server name needs to be added somehow to the server configs so it is a SAN of the existing self-signed certs. I can't think of any way to do it, but maybe some of the pki experts here have any idea? Thank you ~Janelle You do not need a SAN on the root certificate, but on the service certificates. This is supported: you first need to create a service principal for the load balancer, then issue a new service certificate with the haproxy SAN in the CSR (the getcert `-D' option can be used to add a SAN to a certmonger request). HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding SAN to default self-signed cert?
Trying to figure this out: ipa host-add haproxy.example.com ipa service-add HTTP/haproxy.example@example.com ipa service-add LDAP/haproxy.example@example.com ipa-getcert request -d /tmp -n haproxy-cert -K LDAP/haproxy.example.com -N 'CN=haproxy.example.com,O=EXAMPLE.COM ^ this is where I am confused, because if I created a cert request for the new service, then why am I putting the name of the haproxy in the SAN? Unless I am completely misreading your suggestion? Thank you ~J On 8/2/15 8:53 PM, Fraser Tweedale wrote: On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: Hello everyone, I was wondering if anyone knows of a way to add SAN(s) to the self-signed certificate that are installed when you installed freeipa? Or am I stuck having to do a re-install and use new certificates? If you try to run haproxy as a load balancer in front of the ldap/http servers, well, as you might guess the haproxy server name needs to be added somehow to the server configs so it is a SAN of the existing self-signed certs. I can't think of any way to do it, but maybe some of the pki experts here have any idea? Thank you ~Janelle You do not need a SAN on the root certificate, but on the service certificates. This is supported: you first need to create a service principal for the load balancer, then issue a new service certificate with the haproxy SAN in the CSR (the getcert `-D' option can be used to add a SAN to a certmonger request). HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding SAN to default self-signed cert?
On Sun, Aug 02, 2015 at 02:59:52PM -0700, Janelle wrote: Hello everyone, I was wondering if anyone knows of a way to add SAN(s) to the self-signed certificate that are installed when you installed freeipa? Or am I stuck having to do a re-install and use new certificates? If you try to run haproxy as a load balancer in front of the ldap/http servers, well, as you might guess the haproxy server name needs to be added somehow to the server configs so it is a SAN of the existing self-signed certs. I can't think of any way to do it, but maybe some of the pki experts here have any idea? Thank you ~Janelle You do not need a SAN on the root certificate, but on the service certificates. This is supported: you first need to create a service principal for the load balancer, then issue a new service certificate with the haproxy SAN in the CSR (the getcert `-D' option can be used to add a SAN to a certmonger request). HTH, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Adding SAN to default self-signed cert?
Hello everyone, I was wondering if anyone knows of a way to add SAN(s) to the self-signed certificate that are installed when you installed freeipa? Or am I stuck having to do a re-install and use new certificates? If you try to run haproxy as a load balancer in front of the ldap/http servers, well, as you might guess the haproxy server name needs to be added somehow to the server configs so it is a SAN of the existing self-signed certs. I can't think of any way to do it, but maybe some of the pki experts here have any idea? Thank you ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project