When I try adding it as an alt name:
# certutil -R -d . -a -g 2048 -s "cn=elastic.our.net,o=our.net" \
-8
elastic.our.net,\*.elastic.our.net,zsece01.our.net,zsece02.our.net,zsece0... \
elastic.our.net.csr
# ipa cert-request elastic.our.net.csr
--principal
host/elastic.our.net --profile wildcard
ipa: ERROR: The service principal for subject alt name *.elastic.spx.net in certificate
request does not exist
I'm not sure how to add a wildcard host principal...
--
Bret Wortman
bret.wortman(a)damascusgrp.com
On Tue, Jun 7, 2022, at 11:07 AM, Alexander Bokovoy wrote:
> On ti, 07 kesä 2022, Bret Wortman via FreeIPA-users wrote:
>>I'm trying to create a wildcard certificate to use with some elasticsearch ECE
systems and it's not working quite right yet. I found Fraser's blog at
https://frasertweedale.github.io/blog-redhat/posts/2017-02-20-freeipa-wil...
and followed the directions there. After installing the cert chain on my ES servers, when
I connect over the web I'm getting an SSL_ERROR_BAD_CERT_DOMAIN error, even though the
cert contains:
>>
>>Subject Name
>> Organization
OUR.NET 201804300753
>> Common Name *.elastic.our.net
>>
>>Issuer Name
>> Organization
OUR.NET 201804300753
>> Common Name Certificate Authority
>>
>>Validity
>> Not Before Tue, 07 Jun 2022 14:48:08 GMT
>> Not After Fri, 07 Jun 2024 14:48:08 GMT
>>
>>Subject Alt Names
>> DNS Name
zsece01.our.net
>> DNS Name
zsece02.our.net
>> DNS Name
zsece013our.net
>>
>>:
>>
>>I've tried including
elastic.our.net as an alt name too and it didn't
prevent the error. What am I missing?
>
> You need to have dnsName: *.elastic.our.net in the SAN as well. Most
> browsers stopped looking into CN already for CAs from the root CA list
> but recently Firefox and Chrome also applied this to private CAs as
> well.
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland