It seems that Firefox has now started warning about certificates that don't include a subject alternative name. (Honestly, I had no idea that it wasn't already doing so; Chrome has been doing this for years.)
My EL7 FreeIPA server still uses a "sans SAN" certificate for its HTTPS interface, so I would like to regenerate it.
1. Is it possible to use ipa-getcert to request an early renewal, or do I have to delete/recreate it?
2. This is a fully updated CentOS 7 system, running the included version of FreeIPA (ipa-server-4.6.8-5.el7.centos.10.x86_64). Will it automatically include a SAN extension when it renews the server certificate (or issues a new one), or do I need to modify a certificate profile?
3. Related to the above, which profile should I use if I need to issue a completely new certificate - caIPAserviceCert?
4. Are any other steps necessary? I.e., if I have to delete and re- issue the certificate, do I need to update any other configuration files or directory records to reference the new certificate?
Thanks!
Hi Ian,
The Firefox change ceases CN matching for additional, explicitly trusted CAs. For "bundled" CAs it stopped using CN years ago (along with Chrome and other browsers).
For renewal instructions, refer to Rob's mail of Mon, 6 Jun 2022 11:23:04 -0400 to this list, subject:
PSA: Change in Firefox related to host names and its impact on IPA
Thanks, Fraser
On Sat, Jun 18, 2022 at 09:48:06AM -0500, Ian Pilcher via FreeIPA-users wrote:
It seems that Firefox has now started warning about certificates that don't include a subject alternative name. (Honestly, I had no idea that it wasn't already doing so; Chrome has been doing this for years.)
My EL7 FreeIPA server still uses a "sans SAN" certificate for its HTTPS interface, so I would like to regenerate it.
Is it possible to use ipa-getcert to request an early renewal, or do I have to delete/recreate it?
This is a fully updated CentOS 7 system, running the included version of FreeIPA (ipa-server-4.6.8-5.el7.centos.10.x86_64). Will it automatically include a SAN extension when it renews the server certificate (or issues a new one), or do I need to modify a certificate profile?
Related to the above, which profile should I use if I need to issue a completely new certificate - caIPAserviceCert?
Are any other steps necessary? I.e., if I have to delete and re- issue the certificate, do I need to update any other configuration files or directory records to reference the new certificate?
Thanks!
--
Google Where SkyNet meets Idiocracy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org