[Freeipa-users] Replacing CA Certificate
Lukáš Bezdička
lukas.bezdicka at gooddata.com
Tue Jun 18 07:24:35 UTC 2013
We were playing with rotating CA for FreeIPA as an DR procedure. I wouldn't
use this how to unless completely necessary as it will mean many manual
tasks on your infrastructure. But to know how it could be done:
1) ipa backup:
/var/lib/dirsrv/scripts-KOKOTINA/db2bak.pl -v -D "cn=directory manager" -w -
Bind Password:
Back up directory:
/var/lib/dirsrv/slapd-KOKOTINA/bak/KOKOTINA-2013_2_21_20_17_46
ldap_initialize( ldap://velka.kokotina:389 )
add objectclass:
top
extensibleObject
add cn:
backup_2013_2_21_20_17_46
add nsArchiveDir:
/var/lib/dirsrv/slapd-KOKOTINA/bak/KOKOTINA-2013_2_21_20_17_46
add nsDatabaseType:
ldbm database
adding new entry "cn=backup_2013_2_21_20_17_46, cn=backup, cn=tasks, cn=config"
modify complete
2) copy backup elsewhere, reinstall FreeIPA with new CA
3) BACKUP:
cn=CAcert,cn=ipa,cn=etc,dc=kokotina from new CA
4) restore:
/var/lib/dirsrv/scripts-KOKOTINA/bak2db.pl -v -D "cn=directory
manager" -a /var/lib/dirsrv/slapd-KOKOTINA/bak/KOKOTINA-2013_2_21_20_17_46/
-w -
Bind Password:
ldap_initialize( ldap://velka.kokotina:389 )
add objectclass:
top
extensibleObject
add cn:
restore_2013_2_21_20_41_53
add nsArchiveDir:
/var/lib/dirsrv/slapd-KOKOTINA/bak/KOKOTINA-2013_2_21_20_17_46/
add nsDatabaseType:
ldbm database
adding new entry "cn=restore_2013_2_21_20_41_53, cn=restore, cn=tasks,
cn=config"
modify complete
5) RESTORE:
cn=CAcert,cn=ipa,cn=etc,dc=kokotina from BACKUP of NEW CA
check logs:
less /var/log/dirsrv/slapd-KOKOTINA/errors
restart dirsrv:
service dirsrv restart
restart kdc:
/etc/init.d/krb5kdc restart
regen httpd keytab:
kadmin.local
ktadd -k /root/kokotina HTTP/velka.kokotina at KOKOTINA
mv kokotina /etc/httpd/conf/ipa.keytab
regen ldap keytab:
ktadd -k /root/kokot ldap/velka.kokotina at KOKOTINA
mv /root/kokot /etc/dirsrv/ds.keytab
regen host keytab:
ktadd -k /root/picka host/velka.kokotina at KOKOTINA
mv picka /etc/krb5.keytab
regen named keytab:
ktadd -k /root/oink DNS/velka.kokotina at KOKOTINA
mv oink /etc/named.keytab
resore rights:
chown dirsrv:dirsrv /etc/dirsrv/ds.keytab
chown apache:apache /etc/httpd/conf/ipa.keytab
chown httpd:httpd /etc/httpd/conf/ipa.keytab
chmod 600 /etc/dirsrv/ds.keytab
chmod 600 /etc/httpd/conf/ipa.keytab
chmod 400 /etc/named.keytab
restorecon -Rv /etc/
I have note about this procedure that we had issue with httpd and it was
solved with:
service httpd stop; rm /etc/httpd/conf/ipa.keytab ; ipa-getkeytab ...
/etc/httpd/conf/ipa.keytab ; chmod .. ; sudo -u apache /bin/bash ; kdestroy
; exit ; service httpd restart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130618/7f8f264b/attachment.htm>
More information about the Freeipa-users
mailing list