Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Generate certificate with SubjectAltName attributes in FreeIPA

bgstack15

Comments

Overview

Last updated 2018-05-17

If you want to serve webpages with ssl certificates that have Subject Alternative Names, and you use FreeIPA, you will need to take a few steps to make this possible. If you got to this page, you probably already know the importance of SAN on a cert. This document will demonstrate how to get IPA to sign a certificate that has the ever-important SubjectAltName.

Example environment

Freeipa domain is at ipa.example.com Host storage1.ipa.example.com is serving https, and I want to also serve on other domain names: secondary.domain.com

www.ipa.example.com
www.example.com
You don't even need to have all the SANs in the same domain!

Generate certificate with SAN in freeipa

Generate private key

openssl genrsa -aes256 -out /root/certs/https-storage1.ipa.example.com.key 2048

Use a simple passphrase you can remember.

Generate certificate signing request

Before you generate the csr, you will need to modify the default openssl.cnf file so it will make a csr with Subject Alternative Names. In CentOS 7, that file is /etc/pki/tls/openssl.cnf. In section [req] add line

req_extensions = v3_req

In section [ v3_req ] add lines (to add a new section as well)

subjectAltName = @alt_names

[alt_names]
DNS.1 = secondary.domain.com
DNS.2 = storage1.ipa.example.com
DNS.3 = www.ipa.example.com
DNS.4 = www.example.com

You can also include IP.1 = 192.168.1.1 entries. On my CentOS 7 system, here is the diff:

# diff /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.2017-05-19.01 
126c126
< req_extensions = v3_req # The extensions to add to a certificate request --- > # req_extensions = v3_req # The extensions to add to a certificate request
225,232d224
< 
< subjectAltName = @alt_names
< 
< [alt_names]
< DNS.1 = secondary.domain.com
< DNS.2 = storage1.ipa.example.com
< DNS.3 = www.ipa.example.com
< DNS.4 = www.example.com

Reference: http://apetec.com/support/GenerateSAN-CSR.htm Now generate the csr.

# openssl req -new -key /root/certs/https-storage1.ipa.example.com.key -out /root/certs/https-storage1.ipa.example.com.csr
Enter pass phrase for /root/certs/https-storage1.ipa.example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Some State
Locality Name (eg, city) [Default City]:Default City
Organization Name (eg, company) [Default Company Ltd]:Example.com
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:storage1.ipa.example.com
Email Address []:bgstack15@gmail.com

Make entries in freeipa

To be able to sign a certificate in freeipa with whatever SANs you want, you need to have a host entry for each domain. So manually create the hosts. You can force it; they are just dummy hosts. Also manually create HTTP service entries for each of those hosts. HTTP/secondary.domain.com@IPA.EXAMPLE.COM

HTTP/www.ipa.example.com@IPA.EXAMPLE.COM
HTTP/www.example.com@IPA.EXAMPLE.COM
I used the web interface for this, because it was easier for me. But everything in freeipa can be done with the cli; I simply haven't done the research for how to make new host objects in FreeIPA on the command line yet. Reference: https://www.redhat.com/archives/freeipa- users/2014-September/msg00267.html

Updated 2020-09-21

With a suitable admin kerberos ticket, run:

ipa host-add --force secondary.domain.com
ipa host-add --force www.ipa.example.com
ipa host-add --force www.example.com
ipa service-add --force HTTP/secondary.domain.com
ipa service-add --force HTTP/www.ipa.example.com
ipa service-add --force HTTP/www.example.com

Sign the certificate

In the web UI, you can navigate to Identity -> Services -> principal HTTP/storage1.ipa.example.com@IPA.EXAMPLE.COM. Select the Actions button, and then New Certificate. Paste the contents of the csr file.

Retrieve the certificate

In the web UI, under the section Service Certificate, select the Actions button -> Get certificate. You can copy the text and save it in the terminal.

References

Weblinks

  1. Generate CSR with SAN http://apetec.com/support/GenerateSAN-CSR.htm
  2. Generate each host and HTTP service https://www.redhat.com/archives/freeipa-users/2014-September/msg00267.html
  3. Generate CSR

Comments