Hi, I'm not sure I understood all of your problem, but here are some information that may help: - First, you don't change a certificate, but you can revoke it a make a new one - If you need to add a SubjectAltName to a certificate, you may have realized that the -D parameter makes the request to get rejected by FreeIPA when you try this:
ipa-getcert request -d $NSSPATH -n $CERTNAME -p $PWDFILE -N "CN=$FQDN,O=$DOMAIN" -D "$CNAME" -K $PRINCIPAL You have to force FreeIPA to recognise the CNAME first. $ ipa host-add cname.domain --force $ ipa service-add service/fqdn $ ipa service-add service/cname.domain --force $ ipa service-add-host service/cname.domain --host fqdn Then the ipa-getcert request will work. I hope it helps (you or anyone else needing a subjectaltname in a certificate). Cheers, -- Youenn Piolet [email protected] 2015-09-09 18:12 GMT+02:00 Petr Spacek <[email protected]>: > On 5.9.2015 12:48, Günther J. Niederwimmer wrote: > > Hello, > > > > System CentOS 7. > > > > is it possible to change a certificate to add a subject alt name? > > > > My "Problem" is, I have a Mail Server with name smtp.example.com and the > > correct service certificates smtp/smtp.example.com & imap/example.com > now I > > make in my DNS Server (is a external system) a new Record "imap IN CNAME > smtp" > > but this is now missing in the certificate? > > > > The Problem I mean is DNSSEC, so I can't setup this with freeIPA and I > don’t > > have a host/imap.example.com. > > I'm sorry but I do not see how this is related to DNS. It might not be > related > to IPA at all. > > IPA only issues the cert. If the cert contains both subjectAltNames then > the > problem is likely in your DNS configuration or in configuration on the > application server side (where you installed the cert). > > Unfortunately I'm not able to tell you more without more details - what > application you use, what versions, how did you it configured, etc. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
