On ma, 23 heinä 2018, Anvar Kuchkartaev via FreeIPA-users wrote:
I am planning to deploy replica of freeipa to AWS, and I have following
* Lets say freeipa domain is example.com
* freeipa domain has it's own CA
* all aws hosts will get hostname automatically over dhcp options in
vpc like ip-xxx-xxx-xxx-xxx.aws.example.com
* Freeipa replica will be reachable one internal IP and one elastic
IP, internal IP will be reachable with hostname ipa.aws.example.com
external one (elastic IP) will be reachable ipa.example.com
autodiscovery records will do the rest.
I cannot resolve one part, when using different hostnames, I might run
into TLS, STARTTLS issue, since ipa apache, ldap, kerberos kdc
certificates are issued automatically only to one hostname.
I would like to ask if it is possible to replace ipa apache, ldap,
kerberos kdc certificates with SAN certificates that supports multiple
Yes, it is -- after install you can re-issue the certificates. Look into
the list archives for last two months or so, this was raised already, I
gave an answer.
Sorry, don't have a link right now.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland