On to, 01 marras 2018, Henrik Stigendal via FreeIPA-users wrote:
> On 1 Nov 2018, at 00:51, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
> Note that you'll have a hard time getting a certificate signed by a
> public CA with the approriate Extended Key Usage and Subject
> Alternative Name values for a KDC certificate. If you are getting
> certificates from some other internal CA controlled by your
> organisation, no worries. Otherwise, you'll have do make do without
> Kerberos PKINIT support.
Thanks, you mean the UPN: kbtgt/DOMAIN.NET(a)DOMAINN.NET part?
We have an intetrnal CA, i guess i’ll try to generate a CSR with
certutil and submit it. It will be quite a few UPN/SAN if I want one
certificate for all servers for LDAP/HTTP and PKINI respectability.
Maybe have two per servers and a common name for a load balancer in
each certificate, this is really not my area of expertise, it was so
much easier with the provided CA in IPA :)
If you have an internal CA, it would be
much easier to get that CA to
sign IPA CA as a sub-CA. Then clients will trust IPA CA-issued
certificates if they trust internal CA already.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland