[Freeipa-users] Re: Wildcard certificate

When I try adding it as an alt name: # certutil -R -d . -a -g 2048 -s "cn=elastic.our.net,o=our.net" \ -8 elastic.our.net,\*.elastic.our.net,zsece01.our.net,zsece02.our.net,zsece0... \ # ipa cert-request elastic.our.net.csr --principal host/elastic.our.net --profile wildcard ipa: ERROR: The service principal for subject alt name *.elastic.spx.net in certificate request does not exist I'm not sure how to add a wildcard host principal... -- Bret Wortman bret.wortman(a)damascusgrp.com On Tue, Jun 7, 2022, at 11:07 AM, Alexander Bokovoy wrote: > On ti, 07 kesä 2022, Bret Wortman via FreeIPA-users wrote: >>I'm trying to create a wildcard certificate to use with some elasticsearch ECE systems and it's not working quite right yet. I found Fraser's blog at https://frasertweedale.github.io/blog-redhat/posts/2017-02-20-freeipa-wil... and followed the directions there. After installing the cert chain on my ES servers, when I connect over the web I'm getting an SSL_ERROR_BAD_CERT_DOMAIN error, even though the cert contains: >> >>Subject Name >> Organization OUR.NET 201804300753 >> Common Name *.elastic.our.net >> >>Issuer Name >> Organization OUR.NET 201804300753 >> Common Name Certificate Authority >> >>Validity >> Not Before Tue, 07 Jun 2022 14:48:08 GMT >> Not After Fri, 07 Jun 2024 14:48:08 GMT >> >>Subject Alt Names >> DNS Name zsece01.our.net >> DNS Name zsece02.our.net >> DNS Name zsece013our.net >> >>: >> >>I've tried including elastic.our.net as an alt name too and it didn't prevent the error. What am I missing? > > You need to have dnsName: *.elastic.our.net in the SAN as well. Most > browsers stopped looking into CN already for CAs from the root CA list > but recently Firefox and Chrome also applied this to private CAs as > well. > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland