Hello, everyone
I've got problem similar to: https://serverfault.com/questions/253960/adding-subject-alternate-names-san-...
So, there is a HP crypto device for which i should issue certificate (via FreeIPA CA), it allows you to generate CSR, and there is no access to private key/or some kind of cmdline interface. But internal divice's CSR generation mechanism allows you to add only CommonName and there is no support for SAN. And i want to ask if there is a way to add SAN attributes during certificate issue process on FreeIPA. Several thoughts from serverfault answers: 1) Edit existing CSR, add SAN hostnames (cause CSR was signed by private key, it will be now invalid), force FreeIPA not to check signature. 2) Extract FreeIPA private key and maybe use some 3rd party tools to issue certificate with edited CSR (p. #1) 3) Edit FreeIPA CA/PKI subsystem options to add SAN attributes (somehow?) at sign time
Have a good day!
D. Vitenberg
On Thu, Jul 12, 2018 at 09:26:09AM -0000, vitenbergd--- via FreeIPA-users wrote:
Hello, everyone
I've got problem similar to: https://serverfault.com/questions/253960/adding-subject-alternate-names-san-...
So, there is a HP crypto device for which i should issue certificate (via FreeIPA CA), it allows you to generate CSR, and there is no access to private key/or some kind of cmdline interface. But internal divice's CSR generation mechanism allows you to add only CommonName and there is no support for SAN. And i want to ask if there is a way to add SAN attributes during certificate issue process on FreeIPA. Several thoughts from serverfault answers:
- Edit existing CSR, add SAN hostnames (cause CSR was signed by private key, it will be now invalid), force FreeIPA not to check signature.
- Extract FreeIPA private key and maybe use some 3rd party tools to issue certificate with edited CSR (p. #1)
- Edit FreeIPA CA/PKI subsystem options to add SAN attributes (somehow?) at sign time
The Dogtag CA as of IPA v4.5 (IIRC) provides the CommonNameToSANDefault profile component. If you include it on the relevant profile, the Subject DN CN attribute, if it looks like a DNS name, will be automatically copied to the SAN extension on the final certificate.
See my blog post[1] for more details:
[1] https://frasertweedale.github.io/blog-redhat/posts/2017-07-11-cn-deprecation...
HTH, Fraser
Have a good day!
D. Vitenberg _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Thank you very much, there are tons of valuable info in your blog ralated to this topic. Right now we are using 4.4 version of FreeIPA and autoconvertion of CN -> SAN DNS was not the exact thing i wanted to achieve (though this feature is awesome), i used SubjectAltNameExtDefault attribute to add custom SAN field.
Have a good day!
D. Vitenberg
On Fri, Jul 13, 2018 at 09:13:02AM -0000, vitenbergd--- via FreeIPA-users wrote:
Thank you very much, there are tons of valuable info in your blog ralated to this topic. Right now we are using 4.4 version of FreeIPA and autoconvertion of CN -> SAN DNS was not the exact thing i wanted to achieve (though this feature is awesome), i used SubjectAltNameExtDefault attribute to add custom SAN field.
Have a good day!
D. Vitenberg
You're welcome. Glad you were able to sort it out.
Cheers, Fraser
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org