[Freeipa-users] Primary certificates
David Kupka
dkupka at redhat.com
Tue Jul 14 10:52:08 UTC 2015
On 13/07/15 16:05, Janelle wrote:
> Good morning,
>
> I was wondering, I install my servers with the self-signed certs. Now my
> management wants me to use official certificates. Is there an
> easy/recommended way to swap out all the certificates on all the
> servers? Especially with 16 servers, just trying to figure out if this
> is something I could script with PSSH or similar in order to do them all
> at once. Does it matter the order?
>
> Thank you
> ~Janelle
>
Hello!
Yes, there is an easy way:
1.Run "ipa-cacert-manage renew --external-ca" on one of CA masters
(first ipa-server installed or any replica installed with --setup-ca).
This will generate csr you need to get signed by your CA.
2. Then run "ipa-cacert-manage renew --external-cert-file <signed
certificate> --external-cert-file <your ca certificate>"
This will update the IPA CA certificate in LDAP.
3. Then you need to run "ipa-certupdate" on all ipa servers and clients
to distribute the new certificate.
--
David Kupka
More information about the Freeipa-users
mailing list