[Freeipa-users] Re: Creating certificate for master domain
Rafał Wądołowski via FreeIPA-users wrote: > We have host which is registered and have http service with one domain > e.g. xyz.intra.example.com. > > But we want to add another site with domain intra.example.com, and we > need to enroll certificate for that domain, but we can't because the > hostname of these host is xyz.intra.example.com. > > Is it possible to force client service with specified domain? and create > certificate for it? I still don't quite understand the question. What does the hostname have to do with anything? Can I try to restate the problem? Is it that you have something like www.washingtonpost.com and you have a cert for the HTTP service so someone can go to https://www.washingtonpost.com/? And now you also want users to be able to drop the www and go right to the domain and not get a cert warning? Like https://washingtonpost.com ? (FTR their server cert has like 100 wildcards as subject-alt-names). IPA can only issue certs for hosts, services and users. It can't issue a certificate for a domain and can't issue wildcard certs by default. You might want to see if this fits your needs: https://www.freeipa.org/page/Howto/Wildcard_certificates > BR, > Rafał > > On 03/08/17 16:03, Rob Crittenden via FreeIPA-users wrote: >> Rafał Wądołowski wrote: >>> Okey, but how can I create certificate for domain intra.example.com? >>> >>> I can't create host, because the hostname is required. When I try to add >>> service, I got output that principal is required. >> Like I said, every cert needs to live in a bucket (user, service, etc) >> so since domain can't fit into one, you can't issue a cert for it. >> >> What would it be used for? I'm not sure how meaningful a domain name in >> a cert is, but it could be a use-case we missed. >> >> rob >> >>> >>> Pozdrawiam, >>> >>> Rafał Wądołowski >>> >>> On 02/08/17 15:55, Rob Crittenden via FreeIPA-users wrote: Rafał Wądołowski via FreeIPA-users wrote: > Hi, > > I have freeipa 4.4 cluster with CN intra.example.com. > > We developed intranet on this same domain, but I can't create a valid > certificate for it. > > I can't create service, because hostname is required. Is it other way to > sign the CSR? > > What is the good practice for creating https certificates? > I don't understand the question. A certificate can only be issued for objects that IPA knows about, a service, host or user. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Creating certificate for master domain
We have host which is registered and have http service with one domain e.g. xyz.intra.example.com. But we want to add another site with domain intra.example.com, and we need to enroll certificate for that domain, but we can't because the hostname of these host is xyz.intra.example.com. Is it possible to force client service with specified domain? and create certificate for it? BR, Rafał On 03/08/17 16:03, Rob Crittenden via FreeIPA-users wrote: > Rafał Wądołowski wrote: >> Okey, but how can I create certificate for domain intra.example.com? >> >> I can't create host, because the hostname is required. When I try to add >> service, I got output that principal is required. > Like I said, every cert needs to live in a bucket (user, service, etc) > so since domain can't fit into one, you can't issue a cert for it. > > What would it be used for? I'm not sure how meaningful a domain name in > a cert is, but it could be a use-case we missed. > > rob > >> >> Pozdrawiam, >> >> Rafał Wądołowski >> >> On 02/08/17 15:55, Rob Crittenden via FreeIPA-users wrote: >>> Rafał Wądołowski via FreeIPA-users wrote: Hi, I have freeipa 4.4 cluster with CN intra.example.com. We developed intranet on this same domain, but I can't create a valid certificate for it. I can't create service, because hostname is required. Is it other way to sign the CSR? What is the good practice for creating https certificates? >>> I don't understand the question. >>> >>> A certificate can only be issued for objects that IPA knows about, a >>> service, host or user. >>> >>> rob >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Creating certificate for master domain
Rafał Wądołowski wrote: > Okey, but how can I create certificate for domain intra.example.com? > > I can't create host, because the hostname is required. When I try to add > service, I got output that principal is required. Like I said, every cert needs to live in a bucket (user, service, etc) so since domain can't fit into one, you can't issue a cert for it. What would it be used for? I'm not sure how meaningful a domain name in a cert is, but it could be a use-case we missed. rob > > > Pozdrawiam, > > Rafał Wądołowski > > On 02/08/17 15:55, Rob Crittenden via FreeIPA-users wrote: >> Rafał Wądołowski via FreeIPA-users wrote: >>> Hi, >>> >>> I have freeipa 4.4 cluster with CN intra.example.com. >>> >>> We developed intranet on this same domain, but I can't create a valid >>> certificate for it. >>> >>> I can't create service, because hostname is required. Is it other way to >>> sign the CSR? >>> >>> What is the good practice for creating https certificates? >>> >> I don't understand the question. >> >> A certificate can only be issued for objects that IPA knows about, a >> service, host or user. >> >> rob >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Creating certificate for master domain
Okey, but how can I create certificate for domain intra.example.com? I can't create host, because the hostname is required. When I try to add service, I got output that principal is required. Pozdrawiam, Rafał Wądołowski On 02/08/17 15:55, Rob Crittenden via FreeIPA-users wrote: > Rafał Wądołowski via FreeIPA-users wrote: >> Hi, >> >> I have freeipa 4.4 cluster with CN intra.example.com. >> >> We developed intranet on this same domain, but I can't create a valid >> certificate for it. >> >> I can't create service, because hostname is required. Is it other way to >> sign the CSR? >> >> What is the good practice for creating https certificates? >> > I don't understand the question. > > A certificate can only be issued for objects that IPA knows about, a > service, host or user. > > rob > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Creating certificate for master domain
Rafał Wądołowski via FreeIPA-users wrote: > Hi, > > I have freeipa 4.4 cluster with CN intra.example.com. > > We developed intranet on this same domain, but I can't create a valid > certificate for it. > > I can't create service, because hostname is required. Is it other way to > sign the CSR? > > What is the good practice for creating https certificates? > I don't understand the question. A certificate can only be issued for objects that IPA knows about, a service, host or user. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org