[Freeipa-users] updating certificates
Florence Blanc-Renaud
flo at redhat.com
Wed Aug 10 08:22:28 UTC 2016
Hi Josh,
depending on your IPA version, you may consider using
ipa-server-certinstall and ipa-certupdate.
ipa-server-certinstall can be used to install a new certificate for
Apache/LDAP servers, and ipa-certupdate to update the NSS DBs with the
CA certificates found in the LDAP server.
Flo.
On 08/09/2016 05:48 PM, Josh wrote:
> Rob,
>
> One must also update /etc/ipa/nssdb the same way, otherwise ipa cli tool
> gets SEC_ERROR_UNTRUSTED_ISSUER !
>
> It would be nice to have an IPA tool to update all certificates in all
> required places.
>
> Also, why would I need to add CA that already in system ca-trust to the
> private IPA nssdb?
>
> Josh.
>
>
> On 06/28/2016 10:50 AM, Rob Crittenden wrote:
>> jcnt at use.startmail.com wrote:
>>> Greetings,
>>>
>>> About a year ago I installed my freeipa server with certificates from
>>> startssl using command line options --dirsrv-cert-file --http-cert-file
>>> etc.
>>> The certificate is about to expire, what is the proper way to update it
>>> in all places?
>>
>> It depends on whether you kept the original CSR or not. If you kept
>> the original CSR and are just renewing the certificate(s) then when
>> you get the new one, use certutil to add the updated cert to the
>> appropriate NSS database like:
>>
>> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
>> /path/to/new.crt
>>
>> If you need to generate a new CSR then you can use
>> ipa-server-certinstall to install the updated key and crt files.
>>
>> In either case probably worth backing up /etc/httpd/alias/*.db and
>> /etc/dirsrv/slapd-INSTANCE/*.db.
>>
>> rob
>>
>
More information about the Freeipa-users
mailing list