[Freeipa-users] CA expiration and renewal

Thu Dec 5 09:35:43 UTC 2013

On 12/04/2013 06:58 PM, Erinn Looney-Triggs wrote:
> On 12/04/2013 07:15 AM, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>> On 11/27/2013 11:11 AM, Rob Crittenden wrote:
>>>> Erinn Looney-Triggs wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>> 
>>>>> 
>>>>> 
>>>>> On 11/25/2013 11:09 AM, Rob Crittenden wrote:
>>>>>> Erinn Looney-Triggs wrote:
>>>>>>> Folks just wanted to touch base again before the American
>>>>>>> holiday season starts. My CA, which is subordinate to AD CS
>>>>>>> will be expiring on December 9th, I submitted a bug, y'all
>>>>>>> drew up docs etc for a plan (thanks). Now I just wanted to see
>>>>>>> how it was going and if need be what manual steps I will need
>>>>>>> to take to renew the certificate.
>>>>>>> 
>>>>>>> Thanks again for the great work,
>>>>>> 
>>>>>> We're working on an a set of tools to make this easier. For now
>>>>>> I've appended some manual instructions onto a page still in
>>>>>> progress.
>>>>>> 
>>>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>
>>>>>>
>
>>>>>> 
Some parts may be still be a little rough or hard to understand.
>>>>>> Let me know if you have any problems or corrections.
>>>>>> 
>>>>>> rob
>>>>> 
>>>>> Rob,
>>>>> 
>>>>> Thanks for the instructions, a few questions.
>>>>> 
>>>>> What sort of interruption in service could this create?
>>>> 
>>>> Services will be restarted during this process including your LDAP,
>>>> Apache and CA instances. Downtime should be relatively short, no
>>>> more than a few minutes combined.
>>>> 
>>>>> Can you expand on this section a little bit: Replace the value of
>>>>> ca.signing.cert in /etc/pki-ca/CS.cfg. This is the base64 value of
>>>>> the certificate. You can obtain this by removing the BEGIN/END
>>>>> blocks from ipa.crt and compressing it into a single line.
>>>> 
>>>> A PEM cert looks like:
>>>> 
>>>> -----BEGIN CERTIFICATE----- 
>>>> MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB
>>>> 
>>>> 
> IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw
>>>> MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0
>>>> 
>>>> 
> aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA
>>>> DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4
>>>> 
>>>> 
> KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l
>>>> ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw
>>>> 
>>>> 
> DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD
>>>> gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt
>>>> 
>>>> 
> yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe
>>>> eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA= -----END 
>>>> CERTIFICATE-----
>>>> 
>>>> You need to drop the BEGIN/END blocks then combine all the lines
>>>> into a single line, so you have a unified base64 blog. It will look
>>>> like:
>>>> 
>>>> ca.signing.cert=MII...B0DGohV1BeTA=
>>>> 
>>>> I was afraid wrapping woudl destroy my demonstration so I used 
>>>> ellipses instead.
>>>> 
>>>>> Thanks and happy Thanksgiving,
>>>> 
>>>> You're welcome. You too.
>>>> 
>>>> rob
>>>> 
>>> 
>>> Ok I have done the steps as outlined. One small suggestion and one
>>> question came up.
>>> 
>>> Suggestion: for the ldapmodify command indicate that a ctl-d is 
>>> necessary to end input. Most folks will know this, but some may not.
>>> 
>>> For the client section you have me copy the newly signed subordnate CA
>>> certificate into /etc/ipa/ca.crt. However, on my hosts that was
>>> actually a copy of the AD CS certificate, not the subordinate
>>> certificate. In the case of a subordinate installation do you want the
>>> root or the subordinate CA? It would seem that the root would be
>>> broader, but I just want to make sure.
>>> 
> 
>> The IPA CA cert should be sufficient.
> 
>> rob
> 
> 
> Thanks, and just for an update, the switch over was made, certmonger is
> happily updating certs now on all hosts and everything just appears to be
> working thus far, minus the replication of the agent certificate which I
> am still looking into.
> 
> Thanks for the help,
> 
> -Erinn

Great, I am glad to hear that. Note that we were investigating renewing
certificates and clones and found out an issue in Python readline that
prevented a renewal of the IPA agent certificate:

https://fedorahosted.org/freeipa/ticket/4064

Could this be the reason of your issues? Did you saw a crash of certmonger
during the renewal? It was found out to be happening due to the
aforementioned bug.

Thanks,
Martin