On Tue, Aug 26, 2025 at 03:40:47PM +1000, Fraser Tweedale wrote: > Hi Harry, > > Here are the rules for validation of iPAddressName values in the SAN > extension: > > 1. Each iPAddressName value must be the result of resolving at least > one of the dNSName values. > > 2. Each iPAddressName value must have a PTR record that returns a > name that resolves back to that IP address. > > 3. Only the IPA DNS records are consulted, because only data in the > IPA database is trusted for CSR validation. > > > Would freeipa be able to issue IPs in certificates if I enabled freeipa's > > dns system but pointed it off-host for all resolutions? Or is it required > > the DNS records be in local LDAP 'no matter what'. > > Yes, that is required. There is no "force" option. Trusting > external DNSSec is something that could be considered, but we are > unlikely to implement this unless there is a compelling driver. > > Feel free to file an RFE, especially if you or your organisation may > be able to help deliver it. (These are not empty words - the > current SAN IP support was also a community contribution).
I should mention one more thing: there is a ticket to add support for the IP identifier type to the Dogtag ACME server: https://issues.redhat.com/browse/IDM-2313. If ACME could work for your use case feel free to add a comment to that ticket. Cheers, Fraser -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
