[Freeipa-users] updating certificates

[jcnt at use.startmail.com]

On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> jcnt at use.startmail.com wrote:
>> Greetings,
>>
>> About a year ago I installed my freeipa server with certificates from
>> startssl using command line options --dirsrv-cert-file --http-cert-file
>> etc.
>> The certificate is about to expire, what is the proper way to update it
>> in all places?
> 
> It depends on whether you kept the original CSR or not. If you kept the
> original CSR and are just renewing the certificate(s) then when you get
> the new one, use certutil to add the updated cert to the appropriate NSS
> database like:
> 
> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
> /path/to/new.crt
> 

Rob,

Thank you, that worked just fine, except that I had to update an intermediate certificate as well.

Two questions, please:

1. I noticed a strange discrepancy in behavior between  /etc/httpd/alias and /etc/dirsrv/slapd-domain.
In both places original intermediate certificate is listed with empty ",," trust attributes so I initially added new intermediate certificate with empty attributes as well.
certutils -V showed valid certificate in /etc/httpd/alias and not trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate certificate with -t "C,,"

2. Just out of curiosity I wanted to list private keys and is prompted for a password:
# certutil -K -d /etc/httpd/alias/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":

Which one of the many provided by a user passwords is used by ipa-server-install command during NSS database initialization?

Josh.