FreeIPA request certificate with cname

Question

I while ago I was wondering how I could create an ssl-certificate for a cname. This came up as we always use generic a-records for our virtual machines. Services running on those virtual machines should be accessed by users by their service name over SSL. We use FreeIPA as our Certificate Authority.

Answer 1

Sometimes you search for an answer for ages, and find the answer on multiple websites which are not very clear. I will explain my answer by means of an example to show the differences in requesting a certificate from FreeIPA with a cname and without a cname.

We make an imaginary virtual machine with an a-record being abc955-xy.example.com. On this machine we will run postgres. So, out of convenience, the cname will be postgresql.example.com. First we create a certificate for abc955-xy.example.com, which is only valid for the fqdn. Second, we create a certificate for the cname, which is also valid for the fqdn.

Certificate without a cname

# Generate a private key
openssl genrsa -out abc955-xy.example.com.key 4096

# Add the host to FreeIPA
ipa host-add abc955-xy.example.com --force

# Create a host principal for the service HTTP
ipa service-add HTTP/abc955-xy.example.com

# Add the host principal to the host
ipa service-add-host HTTP/abc955-xy.example.com --host abc955-xy.example.com

# Request a certificate for the host, using the principal and private key
ipa-getcert request -r -f abc955-xy.example.com.crt -k abc955-xy.example.com.key \ 
-K HTTP/abc955-xy.example.com -D abc955-xy.example.com

Cerfificate including a cname

# Generate a private key
openssl genrsa -out postgresql.example.com.key 4096

# Add the host to FreeIPA, using the cname
ipa host-add postgresql.example.com --force

# Create a host principal for the service HTTP
ipa service-add HTTP/abc955-xy.example.com

# Create a principal for the service HTTP with the cname
ipa service-add HTTP/postgresql.example.com --force

# Add the cname principal to the host
ipa service-add-host HTTP/postgresql.example.com --host abc955-xy.example.com

# Request a certificate for the host, using the principal and private key and cname
ipa-getcert request -r -f postgresql.example.com.crt -k postgresql.example.com.key\
-K HTTP/postgresql.example.com -D postgresql.example.com -D abc955-xy.example.com

Other than some naming differences, the main difference between both options is that you add the HTTP-principal with the cname to the host instead of the HTTP-principal with the fqdn.

Note: since browsers such as Chrome and Chromium only accept certificates with a Subject Alternative Name (SAN) as of version 65, you need to add a Subject Alternative Name to certificates without a cname too. This is where the option -D comes from in the ipa-getcert request. For certificates without a cname, you have to supply the fqdn.

Answer 2

# Set variables
DOMAIN=domain.name
CNAME=cname
DEST_MACHINE=dest-machine

# Add CNAME DNS-record
# $CNAME => $DEST_MACHINE
ipa dnsrecord-add $DOMAIN $CNAME --cname-hostname=$DEST_MACHINE

# Generate a private key
## to /etc/pki/tls/private
## or another dir (*selinux fcontext* of that dir should be *cert_t*)
sudo openssl genrsa -out /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.key 4096

# Create HTTP service for $DEST_MACHINE\.$DOMAIN
ipa service-add HTTP/$DEST_MACHINE\.$DOMAIN

# Add alias HTTP/$CNAME\.$DOMAIN for HTTP/$DEST_MACHINE\.$DOMAIN
ipa service-add-principal HTTP/$DEST_MACHINE\.$DOMAIN HTTP/$CNAME\.$DOMAIN

# Request a certificate for HTTP/$DEST_MACHINE\.$DOMAIN
# for a DNSNAMEs:
## $DEST_MACHINE\.$DOMAIN
## $CNAME\.$DOMAIN
sudo ipa-getcert request -r \
-f /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.crt \
-k /etc/pki/tls/private/$CNAME\_$DEST_MACHINE.key \
-K HTTP/$DEST_MACHINE\.$DOMAIN \
-D $DEST_MACHINE\.$DOMAIN \
-D $CNAME\.$DOMAIN

# Show info about certificate requests
sudo ipa-getcert list

# List content of certificates dir
ls /etc/pki/tls/private/

# Now just use that certificates with your web-services