On ma, 23 heinä 2018, Anvar Kuchkartaev via FreeIPA-users wrote:
Hello everyone,
I am planning to deploy replica of freeipa to AWS, and I have following
idea:
* Lets say freeipa domain is
example.com
* freeipa domain has it's own CA
* all aws hosts will get hostname automatically over dhcp options in
vpc like
ip-xxx-xxx-xxx-xxx.aws.example.com
* Freeipa replica will be reachable one internal IP and one elastic
IP, internal IP will be reachable with hostname
ipa.aws.example.com,
external one (elastic IP) will be reachable
ipa.example.com, DNS
autodiscovery records will do the rest.
I cannot resolve one part, when using different hostnames, I might run
into TLS, STARTTLS issue, since ipa apache, ldap, kerberos kdc
certificates are issued automatically only to one hostname.
I would like to ask if it is possible to replace ipa apache, ldap,
kerberos kdc certificates with SAN certificates that supports multiple
hostnames?
Yes, it is -- after install you can re-issue the certificates. Look into
the list archives for last two months or so, this was raised already, I
gave an answer.
Sorry, don't have a link right now.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland