On to, 30 marras 2017, dbischof--- via FreeIPA-users wrote:
Dear list,
one of my IPA masters (
master.example.com, IPA 4.5) runs a Dokuwiki
and a DAViCal instance besides IPA. DNS is external (not managed by
IPA) and I asked the DNS admin to create CNAMEs
wiki.example.com and
cal.example.com that point to
master.example.com).
That works, but my users get browser warnings
"SSL_ERROR_BAD_CERT_DOMAIN" upon first connect via the CNAMEs and have
to allow exceptions. Unbeautiful.
Therefore, I force-created dummy hosts in IPA and let them be managed
by
master.example.com:
$ ipa host-add
wiki.example.com --force
$ ipa service-add HTTP/wiki.example.com --force
$ ipa service-add-host HTTP/wiki.example.com --host
master.example.com
If i would revoke the certificate for HTTP/master.example.com now
(didn't dare yet), will a new certificate be created that contains
wiki.example.com as X509v3 Subject Alternative Name? It probably isn't
that easy, right?
Yes, it is not that easy. You do not need to revoke anything,
though.
Use getcert to re-submit existing certificate request that tracks your
http certificate in /etc/httpd/alias:
1. Obtain request ID
# getcert list -d /etc/httpd/alias
2. Re-submit the request with additional SANs and retaining original SAN
and Kerberos principal:
# getcert resubmit -i "REQUEST-ID" -D
master.example.com -D
wiki.example.com -K
HTTP/master.example.com
3. Watch that the request went to the MONITORING state
# getcert list -i "REQUEST-ID"
You'll see that it has two 'dns' properties now.
--
/ Alexander Bokovoy