Latest way to get certificate in FreeIPA
Copy pasta
openssl genpkey -algorithm RSA -out https-app1.ipa.internal.com.key openssl req -new -key https-app1.ipa.internal.com.key -subj "/O=IPA.INTERNAL.COM/CN=app1.ipa.internal.com" -addext "subjectAltName = DNS:webapp.ipa.internal.com,DNS:app.ipa.internal.com" -out https-app1.ipa.internal.com.csr ipa host-add --force webapp.ipa.internal.com ipa host-add --force app.ipa.internal.com ipa service-add --force HTTP/app1.ipa.internal.com ipa service-add --force HTTP/webapp.ipa.internal.com ipa service-add --force HTTP/app.ipa.internal.com ipa cert-request --chain --principal=HTTP/app1.ipa.internal.com https-app1.ipa.internal.com.csr --certificate-out=https-app1.ipa.internal.com.pem
Extra, in case you forget to add "--chain" to the above command. It is not necessary for a 2-deep cert chain, that is, if you don't have an intermediate certificate.
sn="$( ipa cert-find --raw --services=HTTP/"$( hostname -f )" | awk '/serial_number:/{print $NF}' )"
ipa cert-show --chain "${sn}" --certificate-out=https-app1.ipa.internal.com.chain.pem
Explanation
I learned you can use genpkey from the (openssl) genrsa man page. This simplifies the command a little. And now, with the later versions of openssl, you can pass SAN extensions and even the subject on the command line! I remember reading about that years ago but this is the first time my server environment has a new enough version of openssl to take advantage of that.
Comments