[Freeipa-devel] certificate renewal

Vaede, Roger (Contractor) Roger.Vaede at fincen.gov
Thu Oct 31 00:40:08 UTC 2013 

I cannot upgrade to IPA 3.0 at this time, these are live machines.
I only want to renew only the primary server the one that has an expired certificate.
How can I tell if the server is running on CA?

Thanks for your help on this Rob.

Regards
Roger

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Wednesday, October 30, 2013 5:07 PM
To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
Subject: Re: [Freeipa-devel] certificate renewal

Vaede, Roger (Contractor) wrote:
> There are two location of the alias:
> In the backup:  /etc/httpd/alias/
> In the one that has expired:  /var/lib/pki-ca/alias

These are separate entities and will need to be dealt with seprately. 
/var/lib/pki-ca/alias is the NSS database that contains the certificates for the CA itself. With the subsystem certs being expired it means that the CA itself is basically dead in the water because nothing can talk to it.

We're really moving into some uncharted waters here. I don't really want to recommend upgrading to 3.0 just to get the certs renewed, though there are lots of other good reasons to upgrade. I don't know what will happen if we try to renew the certs using the 3.0 method on a 2.x server.

So you've got two IPA masters. Are you running the CA on both or only on one? It makes a difference in how we do the renewal because it will be more complex if you have it on both (not a show stopper).

I *think* we can use the latest certmonger to do the majority of the heavy lifting. The basic process will be to update those bits, go back in time, the tell it to start tracking the CA certs one by one and get them renewed. We'll need to do the same with some other certs, some of which are in /etc/httpd/alias and some of which are in /etc/dirsrv/slapd-REALM/. If you have another instance of the CA we'll need to extract some of the renewed certs and import them on the other side. Then we return to present time.

So let me know what your environment looks like and I'll try to come up with some steps to do the renewal.

rob

More information about the Freeipa-devel mailing list