Hello everyone, I am planning to deploy replica of freeipa to AWS, and I have following idea: * Lets say freeipa domain is example.com * freeipa domain has it's own CA * all aws hosts will get hostname automatically over dhcp options in vpc like ip-xxx-xxx-xxx-xxx.aws.example.com * Freeipa replica will be reachable one internal IP and one elastic IP, internal IP will be reachable with hostname ipa.aws.example.com, external one (elastic IP) will be reachable ipa.example.com, DNS autodiscovery records will do the rest. I cannot resolve one part, when using different hostnames, I might run into TLS, STARTTLS issue, since ipa apache, ldap, kerberos kdc certificates are issued automatically only to one hostname. I would like to ask if it is possible to replace ipa apache, ldap, kerberos kdc certificates with SAN certificates that supports multiple hostnames? Thanks, -- Anvar Kuchkartaev anvar(a)aegissec.net