[Freeipa-users] Using 3rd party certificates for HTTP/LDAP

[Rob Crittenden]

Peter Pakos wrote:
> On 15/01/2016 15:04, Rob Crittenden wrote:
>> Discussed in IRC last night but for the sake of history, he needed to
>> add the CA's to the dogtag NSS database in
>> /var/lib/pki/pki-tomcat/alias/ with a trust of C,,.
> 
> Yes, I added new root certificates to /etc/pki/pki-tomcat/alias and I
> was able to start all services.
> 
> I've noticed that ipa-certupdate command removes them and we're back to
> square one. Why is it doing this? Which database is it retrieving
> certificates from?

>From LDAP. It is dropping current certs and replacing them with those in
the NSS database.

> I've re-run ipa-certupdate in verbose mode and I could see that it
> removes all certificates in different databases (/etc/httpd/alias,
> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
> from /etc/pki/pki-tomcat/alias).

Yup, looks like this part is missing. Perhaps the assumption was that
the CA would be authoritative in this regard.

> Also, what is the correct process for renewing 3rd party certificate?
> Will it be pushed automatically to all servers/clients? I don't want to
> be in trouble when it comes to renewing it.

There are two things here: the server certificates and the CA certificates.

In both cases you are on your own in doing this for now, you won't get
any notification of impending expiration unless your issuing CA tells you.

For the server certificates renewal depends on your CA but usually
involves resubmitting the original CSR and getting an updated
certificate. You then take that to your IPA servers and install that
updated certificate. You should be able to do this with certutil. This
only affects the IPA masters.

Updating the CA certs you'd want to add them to LDAP, replacing the
older ones, and then ipa-certupdate will do the rest. You'd need to run
this on all clients and servers.

rob