[Freeipa-users] updating certificates
Josh
jcnt at use.startmail.com
Tue Aug 9 15:48:29 UTC 2016
Rob,
One must also update /etc/ipa/nssdb the same way, otherwise ipa cli tool
gets SEC_ERROR_UNTRUSTED_ISSUER !
It would be nice to have an IPA tool to update all certificates in all
required places.
Also, why would I need to add CA that already in system ca-trust to the
private IPA nssdb?
Josh.
On 06/28/2016 10:50 AM, Rob Crittenden wrote:
> jcnt at use.startmail.com wrote:
>> Greetings,
>>
>> About a year ago I installed my freeipa server with certificates from
>> startssl using command line options --dirsrv-cert-file --http-cert-file
>> etc.
>> The certificate is about to expire, what is the proper way to update it
>> in all places?
>
> It depends on whether you kept the original CSR or not. If you kept
> the original CSR and are just renewing the certificate(s) then when
> you get the new one, use certutil to add the updated cert to the
> appropriate NSS database like:
>
> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
> /path/to/new.crt
>
> If you need to generate a new CSR then you can use
> ipa-server-certinstall to install the updated key and crt files.
>
> In either case probably worth backing up /etc/httpd/alias/*.db and
> /etc/dirsrv/slapd-INSTANCE/*.db.
>
> rob
>
More information about the Freeipa-users
mailing list