You can add a principal alias to the service principal:On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users wrote:
> Hello
>
> I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be
> able to add SAN's for a different dns domain than exists in the IPA realm.
> The dns for 'otherdomain.com' is handled by active directory which my IPA
> server has a cross-forest trust with.
>
> ie:
> host: client1.ipadomain.com
> certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com,
> servicename.otherdomain.com
>
> When I try to submit this CSR with 'ipa-getcert request' the IPA server
> denies with: "The service principal for subject alt name
> servicename.otherdomain.com in certificate request does not exist"
>
> It seems that the default CAACL enforces a profile named
> 'caIPAserviceCert', but I'm having some trouble determining what can be
> modified (or cloned and changed in a new profile) that would allow the CA
> to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the
> SAN.
>
> This is the only section in the profile that contains SAN:
> policyset.serverCertSet.12.constraint.class_id= noConstraintImpl
> policyset.serverCertSet.12.constraint.name =No Constraint
> policyset.serverCertSet.12.default.class_id= commonNameToSANDefaultImpl
> policyset.serverCertSet.12.default.name =Copy Common Name to Subject
> Alternative Name
>
> Thanks,
> Steve
>
% ipa service-add-principal HTTP/client1.ipadomain.com \
HTTP/servicename.otherdomain.com
Then the CSR validation routine will see the
`servicename.otherdomain.com' SAN dnsName as a valid SAN for the
subject principal.
(This feature was added in FreeIPA 4.5)
Cheers,
Fraser