If you want to serve webpages with ssl certificates that have Subject Alternative Names, and you use FreeIPA, you will need to take a few steps to make this possible. If you got to this page, you probably already know the importance of SAN on a cert.
This document will demonstrate how to get IPA to sign a certificate that has the ever-important SubjectAltName.
Freeipa domain is at ipa.example.com
Host storage1.ipa.example.com is serving https, and I want to also serve on other domain names:
You don’t even need to have all the SANs in the same domain!
Generate certificate with SAN in freeipa
Generate private key
openssl genrsa -aes256 -out /root/certs/https-storage1.ipa.example.com.key 2048
Use a simple passphrase you can remember.
Generate certificate signing request
Before you generate the csr, you will need to modify the default openssl.cnf file so it will make a csr with Subject Alternative Names.
In CentOS 7, that file is /etc/pki/tls/openssl.cnf.
In section [req] add line
req_extensions = v3_req
In section [ v3_req ] add lines (to add a new section as well)
subjectAltName = @alt_names [alt_names] DNS.1 = secondary.domain.com DNS.2 = storage1.ipa.example.com DNS.3 = www.ipa.example.com DNS.4 = www.example.com
You can also include IP.1 = 192.168.1.1 entries.
On my CentOS 7 system, here is the diff:
# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.2017-05-19.01 126c126 < req_extensions = v3_req # The extensions to add to a certificate request --- > # req_extensions = v3_req # The extensions to add to a certificate request 225,232d224 < < subjectAltName = @alt_names < < [alt_names] < DNS.1 = secondary.domain.com < DNS.2 = storage1.ipa.example.com < DNS.3 = www.ipa.example.com < DNS.4 = www.example.com
Sign the certificate
In the web UI, you can navigate to Identity -> Services -> principal HTTP/storage1.ipa.example.com@IPA.EXAMPLE.COM.
Select the Actions button, and then New Certificate.
Paste the contents of the csr file.
Retrieve the certificate
In the web UI, under the section Service Certificate, select the Actions button -> Get certificate. You can copy the text and save it in the terminal.
- Generate CSR with SAN http://apetec.com/support/GenerateSAN-CSR.htm
- Generate each host and HTTP service https://www.redhat.com/archives/freeipa-users/2014-September/msg00267.html
- Generate CSR https://bgstack15.wordpress.com/2016/06/30/manipulating-ssl-certificates/