How to Have Wildcard Certificates in FreeIPA (Red Hat IDM)
If you have tried to add certificates in FreeIPA you have surely found out that it only lets you do that for things it knows about, namely you need a service principal.
But you can have a service principal for a DNS record, you don’t need to actually have an enrolled host, or user!
Firstly, you need to add a wildcard DNS record:
rms@idm:~$ ipa dnsrecord-add lab.1407.org '*' --a-ip-address=192.168......
Record name: *
A record: 192.168......
rms@idm:~$
Then you need to add a service (skipping the host-check is key, here):
rms@idm:~$ ipa service-add --skip-host-check HTTP/*.lab.1407.org@LAB.1407.ORG
------------------------------------------------
Added service "HTTP/*.lab.1407.org@LAB.1407.ORG"
------------------------------------------------
Principal name: HTTP/*.lab.1407.org@LAB.1407.ORG
Principal alias: HTTP/*.lab.1407.org@LAB.1407.ORG
We’re almost ready, but we’re still missing a Certificate Signing Request in order to have FreeIPA issue the proper certificate.
Create an OpenSSL config file (you can optimize the following two steps with a very small shell script):
rms@fedora:~/LAB/x.509$ cat > openssl-lab.1407.org.cnf <<EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
organizationName = 1407.Org
organizationName_default = 1407.Org
organizationUnit = LAB
organizationUnit_default = LAB
commonName = *.lab.1407.org
commonName_max = 64
commonName_default = *.lab.1407.org
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.lab.1407.org
EOF
And then you create the CSR and private key file:
rms@fedora:~/LAB/x.509$ openssl req -config openssl-lab.1407.org.cnf -newkey rsa:2048 \
-keyout star.lab.1407.org.key -out star.lab.1407.org.csr
+.+++++.......................................*++.++++++++.+++.++++....................
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1407.Org [1407.Org]:
*.lab.1407.org [*.lab.1407.org]:
Finally, you need to submit the CSR and output the signed certificate to a file (this way you’ll get the chain as well):
rms@idm:~$ ipa cert-request star.lab.1407.org.csr \
--ca=ipa --profile-id=caIPAserviceCert --principal=HTTP/*.lab.1407.org@LAB.1407.ORG \
--chain --certificate-out star.lab.1407.org.crt
Issuing CA: ipa
Certificate: MIIEqzCCAxOgAwIBAgIBEjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxMQUIuMTQwNy5PUkcxHjAcBgNVBAMMFUNlcnRpZml...
Certificate chain: MIIEqzCCAxOgAwIBAgIBEjANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxMQUIuMTQwNy5PUkcxHjAcBgNVBAMMFUNlc...
MIIETDCCArSgAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKDAxMQUIuMTQwNy5PUkcxHjAcBgNVBAMMFUNlc...
Subject: CN=*.lab.1407.org,O=LAB.1407.ORG
Subject DNS name: *.lab.1407.org
Issuer: CN=Certificate Authority,O=LAB.1407.ORG
Not Before: Sat Mar 22 19:54:33 2025 UTC
Not After: Tue Mar 23 19:54:33 2027 UTC
Serial number: 18
Serial number (hex): 0x12
rms@idm:~$ openssl x509 -noout -subject -issuer < star.lab.1407.org.crt
subject=O=LAB.1407.ORG, CN=*.lab.1407.org
issuer=O=LAB.1407.ORG, CN=Certificate Authority
So now I can have my lab with only one certificate, rather than having the trouble of issuing one for everything, and I hope this little post was useful to you.