Last updated 2018-05-17
If you want to serve webpages with ssl certificates that have Subject Alternative Names, and you use FreeIPA, you will need to take a few steps to make this possible. If you got to this page, you probably already know the importance of SAN on a cert.
This document will demonstrate how to get IPA to sign a certificate that has the ever-important SubjectAltName.
Freeipa domain is at ipa.example.com
Host storage1.ipa.example.com is serving https, and I want to also serve on other domain names:
You don’t even need to have all the SANs in the same domain!
Generate certificate with SAN in freeipa
Generate private key
openssl genrsa -aes256 -out /root/certs/https-storage1.ipa.example.com.key 2048
Use a simple passphrase you can remember.
Generate certificate signing request
Before you generate the csr, you will need to modify the default openssl.cnf file so it will make a csr with Subject Alternative Names.
In CentOS 7, that file is /etc/pki/tls/openssl.cnf.
In section [req] add line
req_extensions = v3_req
In section [ v3_req ] add lines (to add a new section as well)
subjectAltName = @alt_names [alt_names] DNS.1 = secondary.domain.com DNS.2 = storage1.ipa.example.com DNS.3 = www.ipa.example.com DNS.4 = www.example.com
You can also include IP.1 = 192.168.1.1 entries.
On my CentOS 7 system, here is the diff:
# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.2017-05-19.01 126c126 < req_extensions = v3_req # The extensions to add to a certificate request --- > # req_extensions = v3_req # The extensions to add to a certificate request 225,232d224 < < subjectAltName = @alt_names < < [alt_names] < DNS.1 = secondary.domain.com < DNS.2 = storage1.ipa.example.com < DNS.3 = www.ipa.example.com < DNS.4 = www.example.com
Now generate the csr.
# openssl req -new -key /root/certs/https-storage1.ipa.example.com.key -out /root/certs/https-storage1.ipa.example.com.csr Enter pass phrase for /root/certs/https-storage1.ipa.example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :Some State Locality Name (eg, city) [Default City]:Default City Organization Name (eg, company) [Default Company Ltd]:Example.com Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :storage1.ipa.example.com Email Address :email@example.com
Make entries in freeipa
To be able to sign a certificate in freeipa with whatever SANs you want, you need to have a host entry for each domain.
So manually create the hosts. You can force it; they are just dummy hosts.
Also manually create HTTP service entries for each of those hosts.
I used the web interface for this, because it was easier for me. But everything in freeipa can be done with the cli; I simply haven’t done the research for how to make new host objects in FreeIPA on the command line yet.
Sign the certificate
In the web UI, you can navigate to Identity -> Services -> principal HTTP/storage1.ipa.example.com@IPA.EXAMPLE.COM.
Select the Actions button, and then New Certificate.
Paste the contents of the csr file.
Retrieve the certificate
In the web UI, under the section Service Certificate, select the Actions button -> Get certificate. You can copy the text and save it in the terminal.
- Generate CSR with SAN http://apetec.com/support/GenerateSAN-CSR.htm
- Generate each host and HTTP service https://www.redhat.com/archives/freeipa-users/2014-September/msg00267.html
- Generate CSR https://bgstack15.wordpress.com/2016/06/30/manipulating-ssl-certificates/