[Freeipa-users] updating certificates

Josh jcnt at use.startmail.com
Sat Dec 24 00:58:03 UTC 2016 

Hi Rob,

I'd like to really clarify renew certificate process. I can successfully 
update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but 
any new ipa client gets expired certificate still present someplace in 
LDAP. I was trying to use ipa-server-certinstall, described in 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/third-party-certs-http-ldap.html 
but document does not cover the case where intermediate certificate is 
required.

Josh.

On 07/11/2016 10:10 AM, Rob Crittenden wrote:
> jcnt at use.startmail.com wrote:
>> On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden 
>> <rcritten at redhat.com> wrote:
>>> jcnt at use.startmail.com wrote:
>>>> Greetings,
>>>>
>>>> About a year ago I installed my freeipa server with certificates from
>>>> startssl using command line options --dirsrv-cert-file 
>>>> --http-cert-file
>>>> etc.
>>>> The certificate is about to expire, what is the proper way to 
>>>> update it
>>>> in all places?
>>>
>>> It depends on whether you kept the original CSR or not. If you kept the
>>> original CSR and are just renewing the certificate(s) then when you get
>>> the new one, use certutil to add the updated cert to the appropriate 
>>> NSS
>>> database like:
>>>
>>> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
>>> /path/to/new.crt
>>>
>>
>> Rob,
>>
>> Thank you, that worked just fine, except that I had to update an 
>> intermediate certificate as well.
>>
>> Two questions, please:
>>
>> 1. I noticed a strange discrepancy in behavior between 
>> /etc/httpd/alias and /etc/dirsrv/slapd-domain.
>> In both places original intermediate certificate is listed with empty 
>> ",," trust attributes so I initially added new intermediate 
>> certificate with empty attributes as well.
>> certutils -V showed valid certificate in /etc/httpd/alias and not 
>> trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate 
>> certificate with -t "C,,"
>
> Hmm, not sure. Did the CA chain change in between the issuance of the 
> two certs?
>
> Adding a new certificate shouldn't affect the trust of any other certs 
> so I'm not sure what happened. It could be that those subordinate CAs 
> were loaded the first time incorrectly but weren't used so it wasn't 
> noticed, I'm not really sure.
>
>> 2. Just out of curiosity I wanted to list private keys and is 
>> prompted for a password:
>> # certutil -K -d /etc/httpd/alias/
>> certutil: Checking token "NSS Certificate DB" in slot "NSS User 
>> Private Key and Certificate Services"
>> Enter Password or Pin for "NSS Certificate DB":
>>
>> Which one of the many provided by a user passwords is used by 
>> ipa-server-install command during NSS database initialization?
>
> In each NSS directory there is a pwdfile.txt which contains the PIN 
> for the internal token. You can add -f /etc/httpd/alias/pwdfile.txt to 
> your command to list the private keys.
>
> rob

More information about the Freeipa-users mailing list