Re: [Freeipa-users] Sign certificates with subjectAltName

2015-01-27 Thread Craig White 
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Tuesday, January 27, 2015 2:09 PM
To: Craig White
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Sign certificates with subjectAltName

On Tue, 27 Jan 2015, Craig White wrote:
>$ rpm -q ipa-server
>ipa-server-3.0.0-42.el6.x86_64
>
>I tend to revert to openssl as I have some familiarity with it.
>
>ipa service-add HTTP/p1nxut01.stt.local
>
>excellent except we wanted human friendly certificates/SSL
>
>So I created a one-off openssl.cnf file with subjectAltName configured and 
>generated csr and key files...
>grep subjectAltName openssl.cnf
>subjectAltName="nexus.stt.local"
>openssl req -new -config /etc/ssl/openssl.cnf -out p1nxut01.csr -keyout 
>p1nxut01.key
>
>and then passed them on to IPA for signing...
>ipa cert-request p1nxut01.csr --principal 
>host/p1nxut01.stt.local@STT.LOCAL<mailto:host/p1nxut01.stt.local@STT.LOCAL>
>and it was reported serial #44
>
>so I retrieved the certificate...
>ipa cert-show 44 --out=/etc/ssl/p1nxut01.stt.local.crt
>
>openssl x509 -in p1nxut01.stt.local.crt -noout -text
>
>but no subjectAltNames are listed  :-(
>
>can someone hit me with a cluestick?
Yes, this is not supported in 3.0.0.
We implemented support for it in 4.1, see
https://bugzilla.redhat.com/show_bug.cgi?id=1112605

Thanks Alexander - not the cluestick I was hoping for but obviously definitive.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Sign certificates with subjectAltName

2015-01-27 Thread Alexander Bokovoy 

On Tue, 27 Jan 2015, Craig White wrote:

$ rpm -q ipa-server
ipa-server-3.0.0-42.el6.x86_64

I tend to revert to openssl as I have some familiarity with it.

ipa service-add HTTP/p1nxut01.stt.local

excellent except we wanted human friendly certificates/SSL

So I created a one-off openssl.cnf file with subjectAltName configured and 
generated csr and key files...
grep subjectAltName openssl.cnf
subjectAltName="nexus.stt.local"
openssl req -new -config /etc/ssl/openssl.cnf -out p1nxut01.csr -keyout 
p1nxut01.key

and then passed them on to IPA for signing...
ipa cert-request p1nxut01.csr --principal 
host/p1nxut01.stt.local@STT.LOCAL
and it was reported serial #44

so I retrieved the certificate...
ipa cert-show 44 --out=/etc/ssl/p1nxut01.stt.local.crt

openssl x509 -in p1nxut01.stt.local.crt -noout -text

but no subjectAltNames are listed  :-(

can someone hit me with a cluestick?

Yes, this is not supported in 3.0.0.
We implemented support for it in 4.1, see
https://bugzilla.redhat.com/show_bug.cgi?id=1112605

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project