[Freeipa-users] updating certificates

Josh jcnt at use.startmail.com
Sat Dec 24 02:44:23 UTC 2016 

Hi Flo,

looks like ipa-certupdate requires /etc/ipa/nssdb to be already updated 
so it seems useless if existing certificates expired.

I am experimenting on another server with expired certificates. Was able 
to successfully update /etc/httpd/alias and /etc/dirsrv/slapd-INSTANCE 
but ipa command still returns with SEC_ERROR_UNTRUSTED_ISSUER even 
though I updated /etc/ipa/nssdb with new intermediate certificate from 
startcom.

Am I missing something else here?

Josh.


On 08/10/2016 04:22 AM, Florence Blanc-Renaud wrote:
> Hi Josh,
>
> depending on your IPA version, you may consider using 
> ipa-server-certinstall and ipa-certupdate.
>
> ipa-server-certinstall can be used to install a new certificate for 
> Apache/LDAP servers, and ipa-certupdate to update the NSS DBs with the 
> CA certificates found in the LDAP server.
>
> Flo.
>
> On 08/09/2016 05:48 PM, Josh wrote:
>> Rob,
>>
>> One must also update /etc/ipa/nssdb the same way, otherwise ipa cli tool
>> gets SEC_ERROR_UNTRUSTED_ISSUER !
>>
>> It would be nice to have an IPA tool  to update all certificates in all
>> required places.
>>
>> Also, why would I need to add CA that already in system ca-trust to the
>> private IPA nssdb?
>>
>> Josh.
>>
>>
>> On 06/28/2016 10:50 AM, Rob Crittenden wrote:
>>> jcnt at use.startmail.com wrote:
>>>> Greetings,
>>>>
>>>> About a year ago I installed my freeipa server with certificates from
>>>> startssl using command line options --dirsrv-cert-file 
>>>> --http-cert-file
>>>> etc.
>>>> The certificate is about to expire, what is the proper way to 
>>>> update it
>>>> in all places?
>>>
>>> It depends on whether you kept the original CSR or not. If you kept
>>> the original CSR and are just renewing the certificate(s) then when
>>> you get the new one, use certutil to add the updated cert to the
>>> appropriate NSS database like:
>>>
>>> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
>>> /path/to/new.crt
>>>
>>> If you need to generate a new CSR then you can use
>>> ipa-server-certinstall to install the updated key and crt files.
>>>
>>> In either case probably worth backing up /etc/httpd/alias/*.db and
>>> /etc/dirsrv/slapd-INSTANCE/*.db.
>>>
>>> rob
>>>
>>
>

More information about the Freeipa-users mailing list