<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>First of all, thanks for the quick response Florence!<br><br></div>I have question about your suggested step [1] and [2]:<br></div>For [1],  "ipa-cacert-manage install cert.pem". Which certificate is this? Is it the ChainBundle cert(root cert + intermediate cert)?<br></div>For [2],  "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which certificate is this pkcs12.p12? Is it the Server cert?<br><br></div>Here's exactly what I ran initially to install the IPA server with the Verisign certs, by following your suggestion last time(at the Admin manual 2.3.6. Installing Without a CA), and it worked well:<br><br># ipa-server-install --http-cert-file ServerCertificate.crt --http-cert-file ipaserver1.encrypted.key --http-pin MYipakey --dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file ChainBundle2.crt<br><br></div>So, basically the installation requested 3 items: the server key(ipaserver1.encrypted.key), the server certificate from Verisign(ServerCertificate.crt), and the "root+intermediate" certs from Verisign(ChainBundle2.crt).<br></div>Now let's say such Verisign certificate expires, and I want to replace the certs from GoDaddy(another public cert provider), I assume a new set of certs, including the new key, the new server cert, and the new Chain cert(root+intermediate), total 3 items, will need to be included in the commands for the third party certificate replacement.<br></div>The steps [1] and [2] only show two inputs, so I am not sure what I have been missing.<br></div><br></div>Please advise the detail. Thanks again!<br></div>Beeth<br><div><div><div><div><br><div><div><div><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud <span dir="ltr"><<a href="mailto:flo@redhat.com" target="_blank">flo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On 10/19/2016 05:23 PM, beeth beeth wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
I once asked about Install IPA servers with certificate provided by<br>
third-party like<br>
Verisign(<a href="https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html" rel="noreferrer" target="_blank">https://www.redhat.co<wbr>m/archives/freeipa-users/2016-<wbr>September/msg00440.html</a><br></span>
<<a href="https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html" rel="noreferrer" target="_blank">https://www.redhat.com/archiv<wbr>es/freeipa-users/2016-Septembe<wbr>r/msg00440.html</a>>).<span class="gmail-"><br>
Florence, Rob and Jakub from Redhat had been very helpful, and pointed<br>
out the solution at<br>
<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca" rel="noreferrer" target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp<wbr>rise_Linux/7/html/Linux_Domain<wbr>_Identity_Authentication_and_<wbr>Policy_Guide/install-server.<wbr>html#install-server-without-ca</a><br></span>
<<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca" rel="noreferrer" target="_blank">https://access.redhat.com/doc<wbr>umentation/en-US/Red_Hat_Enter<wbr>prise_Linux/7/html/Linux_Domai<wbr>n_Identity_Authentication_and_<wbr>Policy_Guide/install-server.<wbr>html#install-server-without-ca</a><wbr>>,<span class="gmail-"><br>
about "Installing Without a CA", and it worked great!<br>
<br>
Now it came up another problem, is that the Verisign(or any other<br>
certificate) will expire in a year or two, how can I smoothly renew the<br>
Verisign certificate on the primary and replica IPA servers a year from<br>
now? Or if we decide to use another provider, say Godaddy certificate,<br>
how can I replace the existing certificate on both IPA servers? I found<br>
a relevant instruction at<br>
<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal" rel="noreferrer" target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp<wbr>rise_Linux/7/html-single/<wbr>Linux_Domain_Identity_Authenti<wbr>cation_and_Policy_Guide/index.<wbr>html#auto-cert-renewal</a><br></span>
<<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal" rel="noreferrer" target="_blank">https://access.redhat.com/doc<wbr>umentation/en-US/Red_Hat_Enter<wbr>prise_Linux/7/html-single/<wbr>Linux_Domain_Identity_Authenti<wbr>cation_and_Policy_Guide/index.<wbr>html#auto-cert-renewal</a>>,<span class="gmail-"><br>
but that's about the "Dogtag" CA certificate, not about the third-party<br>
certificate I am using in our upcoming production environment(running<br>
IPA 4.2 on RHEL7).<br>
<br>
</span></blockquote>
Hi,<br>
<br>
if you plan to use another CA (for instance switch from Verisign to Godaddy), you will need first to install the new CA certificate with ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4 Manual CA Certificate Installation [1].<br>
<br>
Then, if you want to change the HTTP and LDAP certificates for your server, you can use the ipa-server-certinstall utility [2].<br>
<br>
[1] <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install" rel="noreferrer" target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp<wbr>rise_Linux/7/html-single/<wbr>Linux_Domain_Identity_Authenti<wbr>cation_and_Policy_Guide/index.<wbr>html#manual-cert-install</a><br>
<br>
[2] <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities" rel="noreferrer" target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp<wbr>rise_Linux/7/html-single/<wbr>Linux_Domain_Identity_Authenti<wbr>cation_and_Policy_Guide/index.<wbr>html#Configuring_Certificates_<wbr>and_Certificate_Authorities</a><br>
<br>
Hope this helps,<br>
Flo.<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Please advise. Thank you!<br>
Beeth<br>
</blockquote>
<br>
</div></div></blockquote></div><br></div></div></div></div></div></div></div></div></div></div></div></div></div>