[Freeipa-users] updating certificates
Rob Crittenden
rcritten at redhat.com
Tue Jun 28 14:50:32 UTC 2016
jcnt at use.startmail.com wrote:
> Greetings,
>
> About a year ago I installed my freeipa server with certificates from
> startssl using command line options --dirsrv-cert-file --http-cert-file
> etc.
> The certificate is about to expire, what is the proper way to update it
> in all places?
It depends on whether you kept the original CSR or not. If you kept the
original CSR and are just renewing the certificate(s) then when you get
the new one, use certutil to add the updated cert to the appropriate NSS
database like:
# certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
/path/to/new.crt
If you need to generate a new CSR then you can use
ipa-server-certinstall to install the updated key and crt files.
In either case probably worth backing up /etc/httpd/alias/*.db and
/etc/dirsrv/slapd-INSTANCE/*.db.
rob
More information about the Freeipa-users
mailing list