[Freeipa-users] CA expiration and renewal

Wed Nov 27 19:11:47 UTC 2013

Erinn Looney-Triggs wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 11/25/2013 11:09 AM, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> Folks just wanted to touch base again before the American holiday
>>> season starts. My CA, which is subordinate to AD CS will be
>>> expiring on December 9th, I submitted a bug, y'all drew up docs
>>> etc for a plan (thanks). Now I just wanted to see how it was
>>> going and if need be what manual steps I will need to take to
>>> renew the certificate.
>>>
>>> Thanks again for the great work,
>>
>> We're working on an a set of tools to make this easier. For now
>> I've appended some manual instructions onto a page still in
>> progress.
>>
>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0
>>
>>
>>
>> Some parts may be still be a little rough or hard to understand.
>> Let me know if you have any problems or corrections.
>>
>> rob
>
> Rob,
>
> Thanks for the instructions, a few questions.
>
> What sort of interruption in service could this create?

Services will be restarted during this process including your LDAP, 
Apache and CA instances. Downtime should be relatively short, no more 
than a few minutes combined.

> Can you expand on this section a little bit:
> Replace the value of ca.signing.cert in /etc/pki-ca/CS.cfg. This is
> the base64 value of the certificate. You can obtain this by removing
> the BEGIN/END blocks from ipa.crt and compressing it into a single line.

A PEM cert looks like:

You need to drop the BEGIN/END blocks then combine all the lines into a 
single line, so you have a unified base64 blog. It will look like:

ca.signing.cert=MII...B0DGohV1BeTA=

I was afraid wrapping woudl destroy my demonstration so I used ellipses 
instead.

> Thanks and happy Thanksgiving,

You're welcome. You too.

rob