Rafał Wądołowski via FreeIPA-users wrote: > We have host which is registered and have http service with one domain > e.g. xyz.intra.example.com. > > But we want to add another site with domain intra.example.com, and we > need to enroll certificate for that domain, but we can't because the > hostname of these host is xyz.intra.example.com. > > Is it possible to force client service with specified domain? and create > certificate for it?
I still don't quite understand the question. What does the hostname have to do with anything? Can I try to restate the problem? Is it that you have something like www.washingtonpost.com and you have a cert for the HTTP service so someone can go to https://www.washingtonpost.com/? And now you also want users to be able to drop the www and go right to the domain and not get a cert warning? Like https://washingtonpost.com ? (FTR their server cert has like 100 wildcards as subject-alt-names). IPA can only issue certs for hosts, services and users. It can't issue a certificate for a domain and can't issue wildcard certs by default. You might want to see if this fits your needs: https://www.freeipa.org/page/Howto/Wildcard_certificates > BR, > Rafał > > On 03/08/17 16:03, Rob Crittenden via FreeIPA-users wrote: >> Rafał Wądołowski wrote: >>> Okey, but how can I create certificate for domain intra.example.com? >>> >>> I can't create host, because the hostname is required. When I try to add >>> service, I got output that principal is required. >> Like I said, every cert needs to live in a bucket (user, service, etc) >> so since domain can't fit into one, you can't issue a cert for it. >> >> What would it be used for? I'm not sure how meaningful a domain name in >> a cert is, but it could be a use-case we missed. >> >> rob >> >>> >>> Pozdrawiam, >>> >>> Rafał Wądołowski >>> >>> On 02/08/17 15:55, Rob Crittenden via FreeIPA-users wrote: >>>> Rafał Wądołowski via FreeIPA-users wrote: >>>>> Hi, >>>>> >>>>> I have freeipa 4.4 cluster with CN intra.example.com. >>>>> >>>>> We developed intranet on this same domain, but I can't create a valid >>>>> certificate for it. >>>>> >>>>> I can't create service, because hostname is required. Is it other way to >>>>> sign the CSR? >>>>> >>>>> What is the good practice for creating https certificates? >>>>> >>>> I don't understand the question. >>>> >>>> A certificate can only be issued for objects that IPA knows about, a >>>> service, host or user. >>>> >>>> rob >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
