Is it possible to add or modify a subject alt name for the existing host cert used for IPSec?
Windows clients require that the certificate of the IPFire machine have a SubjectAltName that is the same as the DNS name you use to connect to the server, and it would be helpful if we could reissue the cert with a new SAN.
Tom
EDIT: I should make clear that I know I can’t modify the existing certificate, but I’d like to issue a new certificate with the updated SAN and have the existing certificate-based tunnels use that new certificate.
In my experience in working with network security, the only way I know of doing such, unless you control your own private CA internally on your network is this.
1.) You would need to regenerate a CSR (Certificate Signing Request)
2.) Send this to your CA (Verisign, Google, GoDaddy or the hundreds of others out there)
3.) They will obviously respond back with the Certificate, Private Key, and chain if required.
In filling out the information to the CSR, there is the field in there for SAN. That would be what you are looking for. It would need to be added before the CA signs off on it for the final cert/key.
If you own your own internal CA, the same process would apply, but it would generally be quicker, if you have someone to work some magic speed wise.