[Freeipa-users] CA expiration and renewal
Rob Crittenden
rcritten at redhat.com
Wed Dec 4 15:15:49 UTC 2013
Erinn Looney-Triggs wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/27/2013 11:11 AM, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>>
>>>
>>> On 11/25/2013 11:09 AM, Rob Crittenden wrote:
>>>> Erinn Looney-Triggs wrote:
>>>>> Folks just wanted to touch base again before the American
>>>>> holiday season starts. My CA, which is subordinate to AD CS
>>>>> will be expiring on December 9th, I submitted a bug, y'all
>>>>> drew up docs etc for a plan (thanks). Now I just wanted to
>>>>> see how it was going and if need be what manual steps I will
>>>>> need to take to renew the certificate.
>>>>>
>>>>> Thanks again for the great work,
>>>>
>>>> We're working on an a set of tools to make this easier. For
>>>> now I've appended some manual instructions onto a page still
>>>> in progress.
>>>>
>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
> Some parts may be still be a little rough or hard to understand.
>>>> Let me know if you have any problems or corrections.
>>>>
>>>> rob
>>>
>>> Rob,
>>>
>>> Thanks for the instructions, a few questions.
>>>
>>> What sort of interruption in service could this create?
>>
>> Services will be restarted during this process including your
>> LDAP, Apache and CA instances. Downtime should be relatively short,
>> no more than a few minutes combined.
>>
>>> Can you expand on this section a little bit: Replace the value of
>>> ca.signing.cert in /etc/pki-ca/CS.cfg. This is the base64 value
>>> of the certificate. You can obtain this by removing the BEGIN/END
>>> blocks from ipa.crt and compressing it into a single line.
>>
>> A PEM cert looks like:
>>
>> -----BEGIN CERTIFICATE-----
>> MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB
>> IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw
>> MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0
>> aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA
>> DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4
>> KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l
>> ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw
>> DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD
>> gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt
>> yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe
>> eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA= -----END
>> CERTIFICATE-----
>>
>> You need to drop the BEGIN/END blocks then combine all the lines
>> into a single line, so you have a unified base64 blog. It will look
>> like:
>>
>> ca.signing.cert=MII...B0DGohV1BeTA=
>>
>> I was afraid wrapping woudl destroy my demonstration so I used
>> ellipses instead.
>>
>>> Thanks and happy Thanksgiving,
>>
>> You're welcome. You too.
>>
>> rob
>>
>
> Ok I have done the steps as outlined. One small suggestion and one
> question came up.
>
> Suggestion: for the ldapmodify command indicate that a ctl-d is
> necessary to end input. Most folks will know this, but some may not.
>
> For the client section you have me copy the newly signed subordnate CA
> certificate into /etc/ipa/ca.crt. However, on my hosts that was
> actually a copy of the AD CS certificate, not the subordinate
> certificate. In the case of a subordinate installation do you want the
> root or the subordinate CA? It would seem that the root would be
> broader, but I just want to make sure.
>
The IPA CA cert should be sufficient.
rob
More information about the Freeipa-users
mailing list