You are doing it correctly. However, the DNS SubjectAltName only works with FreeIPA 4.0+. The CA profile before this version does not allow them.
This is the upstream ticket: https://fedorahosted.org/freeipa/ticket/3977 On 03/26/2015 07:09 PM, Steve Neuharth wrote: > I'm trying to specify a subject name in a cert request like this: > > ipa-getcert request -K HTTP/web.test.org -N *cn=www.test.org > <http://www.test.org>,o=TEST.ORG <http://TEST.ORG>* -f /tmp/webserver.crt > -k /tmp/webprivate.key -r > > or like this > > ipa-getcert request -K HTTP/web.test.org -D www.test.org -f > /tmp/webserver.crt -k /tmp/webprivate.key -r > > The resulting certificate, however, just has the hostname of the server > like this: > > Request ID '20150326060555': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/tmp/webprivate.key' > certificate: type=FILE,location='/tmp/webserver.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TEST.ORG > subject: *CN=web.test.org <http://web.test.org>,O=TEST.ORG > <http://TEST.ORG>* > expires: 2017-03-26 05:46:29 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > Is this a bug or am I doing something wrong in certmonger? > > --steve > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project