Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Latest way to get certificate in FreeIPA

Copy pasta

openssl genpkey -algorithm RSA -out
openssl req -new -key -subj "/O=IPA.INTERNAL.COM/" -addext "subjectAltName =," -out
ipa host-add --force
ipa host-add --force
ipa service-add --force HTTP/
ipa service-add --force HTTP/
ipa service-add --force HTTP/
ipa cert-request --chain --principal=HTTP/

Extra, in case you forget to add "--chain" to the above command. It is not necessary for a 2-deep cert chain, that is, if you don't have an intermediate certificate.

sn="$( ipa cert-find --raw --services=HTTP/"$( hostname -f )" | awk '/serial_number:/{print $NF}' )"
ipa cert-show --chain "${sn}"


I learned you can use genpkey from the (openssl) genrsa man page. This simplifies the command a little. And now, with the later versions of openssl, you can pass SAN extensions and even the subject on the command line! I remember reading about that years ago but this is the first time my server environment has a new enough version of openssl to take advantage of that.


  1. Generate certificate with SubjectAltName attributes in FreeIPA
  2. openssl-genpkey(1ossl)