Hi Martin, Thanks, I saw that ticket but didn't got to the wiki part yet.
What I wonder in Step 6: 6. Request a signed certificate for the service and see the entry in Certmonger. In case you created a NSS database with a PIN (see the step 3.), use -P $PIN or -p /etc/httpd/nssdb/pwdfile.txt option to tell certmonger about it: # ipa-getcert request -d /etc/httpd/nssdb -n Server-Cert -K HTTP/`hostname` -N CN=`hostname`,O=EXAMPLE.COM -g 2048 -p /etc/httpd/nssdb/pwdfile.txt SAN names: in FreeIPA 4.0 and later, you can add optional SAN DNS names to your request with -D. Note that you need to first create respective host or service objects and configure that given host can manage them with service-add-host or host-add-managedby command. These objects are being verified when FreeIPA cert-req command authorizes the SAN names. Can I just add the alt names in that command, how should I proceed ? I added the host like ldap.domain... where my ldap servers are ldap-01 and ldap-02 Thanks! Matt 2015-03-06 14:08 GMT+01:00 Martin Kosek <[email protected]>: > On 03/06/2015 01:30 PM, Matt . wrote: >> >> Hi, >> >> I'm figuring out how to regenerate the webserver certificates so I can >> use a loadbalancer in front of my ipa servers. >> >> I see in the docs there is information about this, but not for the >> webservice. Does anyone have some directions ? >> >> Thanks. >> >> Matt >> > > Certificate SubjectAltName was fixed in FreeIPA 4.0, this is the upstream > ticket: > https://fedorahosted.org/freeipa/ticket/3977 > > The procedure is described in upstream wiki for example: > http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger > > HTH, > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
