[Freeipa-users] CA expiration and renewal
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Wed Nov 27 18:21:52 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/25/2013 11:09 AM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> Folks just wanted to touch base again before the American holiday
>> season starts. My CA, which is subordinate to AD CS will be
>> expiring on December 9th, I submitted a bug, y'all drew up docs
>> etc for a plan (thanks). Now I just wanted to see how it was
>> going and if need be what manual steps I will need to take to
>> renew the certificate.
>>
>> Thanks again for the great work,
>
> We're working on an a set of tools to make this easier. For now
> I've appended some manual instructions onto a page still in
> progress.
>
> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0
>
>
>
> Some parts may be still be a little rough or hard to understand.
> Let me know if you have any problems or corrections.
>
> rob
Rob,
Thanks for the instructions, a few questions.
What sort of interruption in service could this create?
Can you expand on this section a little bit:
Replace the value of ca.signing.cert in /etc/pki-ca/CS.cfg. This is
the base64 value of the certificate. You can obtain this by removing
the BEGIN/END blocks from ipa.crt and compressing it into a single line.
Thanks and happy Thanksgiving,
- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAEBAgAGBQJSljg7AAoJENetaK3v/E7P9EsIAI6u6A2702kCFqz0j+DDnz0v
vaLra+syW8yxvEXFquHInVnXLWXbdtx0NYks0I+WFzYQGhIp9kM2GCpGTGcQYw3y
Hi+dCNbEmKyJzA+gWdswDIMmvWVfOR9jc5D7L5gRXU4/bb7osECBSvUhNt6Jd2Jw
ejKzE9yRNn9KU0RFGfOeq81fdoAl8GYKJiqeL1V0ATpGZepfhwMyQdbEsGPcrbwM
cKm9WQRfWwurkFBXFO4BJxELgS4/WxraWWb7JA+sjCrctRVvl2odloHgGYanfT0z
c33dNJDkneXvKvw0E1y62NVupI4z5XRHqad5PepWkUKI9n12c/YC8hUZQ3aspto=
=uDkT
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list