[Freeipa-users] updating certificates

Mon Aug 1 18:37:44 UTC 2016

Hi Rob,

Just a quick summary on my certificate renew experience.

I started with a worst case scenario assumption - original CSR and key 
is no longer available.
1. export old certificate in pkcs12 format
pk12util -d /etc/httpd/alias -n 'certificate alias' -o /tmp/ipa.p12 -k 
/etc/httpd/alias/pwdfile.txt
2. extract original certificate key
openssl pkcs12 -in /tmp/ipa.p12 -out /tmp/ipa.key -nocerts
3. generate new CSR
openssl req -out CSR.csr -key  /tmp/ipa.key -new

above commands just for reference and require significant interactive input.
I wonder if anyone can wrap all in one script.

Regarding installing new certificate I found that simplest method is to 
delete expired certificate first and import new one using the same 
alias, adding intermediate certificate if changed. Steps are identical 
for both apache and directory server.
1. certutil -D -d /etc/httpd/alias -n original_alias
2. certutil -A -n Intermediate -d /etc/httpd/alias -a -i 
intermediate.pem -t "C,,"
3. certutil -A -n original_alias -d /etc/httpd/alias -t u,u,u -a -i 
myipanew.pem

Josh.

On 07/11/2016 10:10 AM, Rob Crittenden wrote:
> jcnt at use.startmail.com wrote:
>> On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden 
>> <rcritten at redhat.com> wrote:
>>> jcnt at use.startmail.com wrote:
>>>> Greetings,
>>>>
>>>> About a year ago I installed my freeipa server with certificates from
>>>> startssl using command line options --dirsrv-cert-file 
>>>> --http-cert-file
>>>> etc.
>>>> The certificate is about to expire, what is the proper way to 
>>>> update it
>>>> in all places?
>>>
>>> It depends on whether you kept the original CSR or not. If you kept the
>>> original CSR and are just renewing the certificate(s) then when you get
>>> the new one, use certutil to add the updated cert to the appropriate 
>>> NSS
>>> database like:
>>>
>>> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
>>> /path/to/new.crt
>>>
>>
>> Rob,
>>
>> Thank you, that worked just fine, except that I had to update an 
>> intermediate certificate as well.
>>
>> Two questions, please:
>>
>> 1. I noticed a strange discrepancy in behavior between 
>> /etc/httpd/alias and /etc/dirsrv/slapd-domain.
>> In both places original intermediate certificate is listed with empty 
>> ",," trust attributes so I initially added new intermediate 
>> certificate with empty attributes as well.
>> certutils -V showed valid certificate in /etc/httpd/alias and not 
>> trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate 
>> certificate with -t "C,,"
>
> Hmm, not sure. Did the CA chain change in between the issuance of the 
> two certs?
>
> Adding a new certificate shouldn't affect the trust of any other certs 
> so I'm not sure what happened. It could be that those subordinate CAs 
> were loaded the first time incorrectly but weren't used so it wasn't 
> noticed, I'm not really sure.
>
>> 2. Just out of curiosity I wanted to list private keys and is 
>> prompted for a password:
>> # certutil -K -d /etc/httpd/alias/
>> certutil: Checking token "NSS Certificate DB" in slot "NSS User 
>> Private Key and Certificate Services"
>> Enter Password or Pin for "NSS Certificate DB":
>>
>> Which one of the many provided by a user passwords is used by 
>> ipa-server-install command during NSS database initialization?
>
> In each NSS directory there is a pwdfile.txt which contains the PIN 
> for the internal token. You can add -f /etc/httpd/alias/pwdfile.txt to 
> your command to list the private keys.
>
> rob