Configuring an SSSD Provider to Use an IP Address in the Certificate Subject Name

Updated -

Using an IP address in the ldap_uri option (in the /etc/sssd/sssd.conf file) instead of the server name can cause the TLS/SSL connection to fail, because TLS/SSL certificates contain the server name, not the IP address. However, you can use the subject alternative name field in the certificate to include the IP address of the server, which enables a successful secure connection using an IP address.

  1. Convert an existing certificate into a certificate request. The certificate signing request (CSR) must be signed with the private key of the LDAP server for which the certificate was issued; using the -signkey option, pass the PEM file that contains the private key.

    openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem

  2. Edit the /etc/pki/tls/openssl.cnf configuration file to include the server's IP address under the [ v3_ca ] section:

    subjectAltName = IP:

  3. Use the generated CSR to generate a new certificate with the specified IP address.

    To generate a self-signed certificate, use the `-signkey` option to sign the certificate with the PEM file containing the old LDAP server certificate and the corresponding private key:

    openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem

    To generate a certificate signed by a certificate authority (CA), use the `-signkey` option to sign the certificate with a PEM file containing the CA private key:

    openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey key.pem

    The `-extensions` option sets which extensions to use with the certificate. For this, it should be `v3_ca` to load the appropriate section.
  4. Copy the private key block from the old_cert.pem file into the new_cert.pem file to keep all relevant information in one file.

When creating a certificate through the certutil utility provided by the nss-util package, note that certutil supports DNS subject alternative names as well as IP address subject alternative names for certificate creation.