We have a number of DNS sub zones in different IP subnets, and we want to ensure that DNS queries respond quickly and aren't waiting for timeouts. So as such we're thinking of putting our IPA on multiple interfaces, one in each sub zone, and registering the host and it's clients within that sub zone separately. To achieve this we need to add principal aliases for each sub zone to the IPA services - which appears to be working well so far, but I have a question: what's the best way to setup a new certificate for the web interface to allow SSL on the new sub zone interface. We're thinking of simply adding alt names to the certificate and getting a newly issued one from the local CA. Should we be looking to do this exclusively with certutil or should we be using ipa-server-certinstall.