[Freeipa-users] Rekeying Third-party signed certificate

Rob Crittenden rcritten at redhat.com
Wed Nov 4 15:14:53 UTC 2009 

James Roman wrote:
> Can't believe that time is up already. The third-party signed 
> certificate that I deployed my freeipa server with is about to expire. 
> Our certificate signer has now set the minimum key length to 2048 bit, 
> which means I have to re-key our primary freeipa SSL certificate. Before 
> I install the new certificate, I was wondering what impact this will 
> have on the other directory servers in my topology? I have one Active 
> Directory domain controller performing AD sync. I have four domain 
> controllers running password sync. I have one other freeipa replication 
> server.

As you point out, the chain is remaining the same, so I think you just 
need to replace this one expiring cert.

> 
> *freeipa replica server*
> I assume that since the replication server has its own third-party 
> signed SSL certificate installed, it will not be affected at all by 
> installing a new certificate, since the certificate trust chain of the 
> new freeipa master certificate will be the same as the old one (and the 
> same as the cert used by the replication server).

Right, unless it is about to expire too!

> *AD Sync Agreement*
> I also do not expect any issues here, since the Certificate chain 
> remains the same and is already trusted by the AD domain controller.

I agree.

> *Passsync Domain Controllers*
> I am less sure about this one. Again, the certificate chain will remain 
> the same, but I will probably need to replace the peer certificate in 
> the DC's cert database. I plan on just using certutil to remove and 
> import the new peer certificate.

I don't think you need to do anything here. The passsync database just 
needs to trust the cert that DS is using. Since you are using the same 
CA I think you'll be fine.

> Should I use ipa-server-certinstall to install the new certificate on 
> the freeipa master, or should I just use certutil to remove and replace 
> the existing server cert (making sure to use the same certificate 
> friendly name)?

Either should work. ipa-server-certinstall assumes (perhaps poorly) that 
the PKCS#12 file you provide includes the CA chain as well, so be sure 
that is included.

If you are comfortable with certutil that is certainly an option. Where 
are you going to generate the CSR for this new cert?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20091104/06c18141/attachment.bin>

More information about the Freeipa-users mailing list