[Freeipa-users] CA expiration and renewal

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Wed Dec 4 17:58:20 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2013 07:15 AM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 11/27/2013 11:11 AM, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> 
>>>> 
>>>> 
>>>> On 11/25/2013 11:09 AM, Rob Crittenden wrote:
>>>>> Erinn Looney-Triggs wrote:
>>>>>> Folks just wanted to touch base again before the
>>>>>> American holiday season starts. My CA, which is
>>>>>> subordinate to AD CS will be expiring on December 9th, I
>>>>>> submitted a bug, y'all drew up docs etc for a plan
>>>>>> (thanks). Now I just wanted to see how it was going and
>>>>>> if need be what manual steps I will need to take to renew
>>>>>> the certificate.
>>>>>> 
>>>>>> Thanks again for the great work,
>>>>> 
>>>>> We're working on an a set of tools to make this easier.
>>>>> For now I've appended some manual instructions onto a page
>>>>> still in progress.
>>>>> 
>>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>
>>>>> 
Some parts may be still be a little rough or hard to understand.
>>>>> Let me know if you have any problems or corrections.
>>>>> 
>>>>> rob
>>>> 
>>>> Rob,
>>>> 
>>>> Thanks for the instructions, a few questions.
>>>> 
>>>> What sort of interruption in service could this create?
>>> 
>>> Services will be restarted during this process including your 
>>> LDAP, Apache and CA instances. Downtime should be relatively
>>> short, no more than a few minutes combined.
>>> 
>>>> Can you expand on this section a little bit: Replace the
>>>> value of ca.signing.cert in /etc/pki-ca/CS.cfg. This is the
>>>> base64 value of the certificate. You can obtain this by
>>>> removing the BEGIN/END blocks from ipa.crt and compressing it
>>>> into a single line.
>>> 
>>> A PEM cert looks like:
>>> 
>>> -----BEGIN CERTIFICATE----- 
>>> MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB
>>>
>>> 
IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw
>>> MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0
>>>
>>> 
aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA
>>> DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4
>>>
>>> 
KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l
>>> ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw
>>>
>>> 
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD
>>> gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt
>>>
>>> 
yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe
>>> eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA= -----END 
>>> CERTIFICATE-----
>>> 
>>> You need to drop the BEGIN/END blocks then combine all the
>>> lines into a single line, so you have a unified base64 blog. It
>>> will look like:
>>> 
>>> ca.signing.cert=MII...B0DGohV1BeTA=
>>> 
>>> I was afraid wrapping woudl destroy my demonstration so I used 
>>> ellipses instead.
>>> 
>>>> Thanks and happy Thanksgiving,
>>> 
>>> You're welcome. You too.
>>> 
>>> rob
>>> 
>> 
>> Ok I have done the steps as outlined. One small suggestion and
>> one question came up.
>> 
>> Suggestion: for the ldapmodify command indicate that a ctl-d is 
>> necessary to end input. Most folks will know this, but some may
>> not.
>> 
>> For the client section you have me copy the newly signed
>> subordnate CA certificate into /etc/ipa/ca.crt. However, on my
>> hosts that was actually a copy of the AD CS certificate, not the
>> subordinate certificate. In the case of a subordinate
>> installation do you want the root or the subordinate CA? It would
>> seem that the root would be broader, but I just want to make
>> sure.
>> 
> 
> The IPA CA cert should be sufficient.
> 
> rob
> 

Thanks, and just for an update, the switch over was made, certmonger
is happily updating certs now on all hosts and everything just appears
to be working thus far, minus the replication of the agent certificate
which I am still looking into.

Thanks for the help,

- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJSn20zAAoJENetaK3v/E7P4S4IAKkc3eLYtcMJrABCBQclg0OT
IVrsAOY/ZlCt6BZBD+Vg/qSNk+/jSOIa4UDmWp9r9ixpguebl3CfcvNx128pSdlJ
NbUBha9ijKmMYFbwwAYzR++BJA7i0zCyZ/VNykGU9o6N35On5rpqCM0OoSvy4kOc
Op+pWUZ9jIJ0ljgC0R8bt+UrdnuP+uoNqmBsO3DuhPlc4kGEVRvfPUidN21HUmaj
Vh+TPmlqZtaR5GPM515nYcABAvlGuyO8RZyMJUSfW45b+Nt3sIEji0mlaVyS6qyA
0TY1u8mH+f1VgRxeUgmTWW4QnnHSgwPL5VHUpgeWm5wyEOBeMp5vLE1kAVCcTGc=
=VitN
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list