[Freeipa-devel] certificate renewal
Rob Crittenden
rcritten at redhat.com
Wed Oct 30 21:06:58 UTC 2013
Vaede, Roger (Contractor) wrote:
> There are two location of the alias:
> In the backup: /etc/httpd/alias/
> In the one that has expired: /var/lib/pki-ca/alias
These are separate entities and will need to be dealt with seprately.
/var/lib/pki-ca/alias is the NSS database that contains the certificates
for the CA itself. With the subsystem certs being expired it means that
the CA itself is basically dead in the water because nothing can talk to it.
We're really moving into some uncharted waters here. I don't really want
to recommend upgrading to 3.0 just to get the certs renewed, though
there are lots of other good reasons to upgrade. I don't know what will
happen if we try to renew the certs using the 3.0 method on a 2.x server.
So you've got two IPA masters. Are you running the CA on both or only on
one? It makes a difference in how we do the renewal because it will be
more complex if you have it on both (not a show stopper).
I *think* we can use the latest certmonger to do the majority of the
heavy lifting. The basic process will be to update those bits, go back
in time, the tell it to start tracking the CA certs one by one and get
them renewed. We'll need to do the same with some other certs, some of
which are in /etc/httpd/alias and some of which are in
/etc/dirsrv/slapd-REALM/. If you have another instance of the CA we'll
need to extract some of the renewed certs and import them on the other
side. Then we return to present time.
So let me know what your environment looks like and I'll try to come up
with some steps to do the renewal.
rob
More information about the Freeipa-devel
mailing list