[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)
Florence Blanc-Renaud
flo at redhat.com
Wed Oct 19 15:49:57 UTC 2016
On 10/19/2016 05:23 PM, beeth beeth wrote:
> I once asked about Install IPA servers with certificate provided by
> third-party like
> Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
> <https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>).
> Florence, Rob and Jakub from Redhat had been very helpful, and pointed
> out the solution at
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>,
> about "Installing Without a CA", and it worked great!
>
> Now it came up another problem, is that the Verisign(or any other
> certificate) will expire in a year or two, how can I smoothly renew the
> Verisign certificate on the primary and replica IPA servers a year from
> now? Or if we decide to use another provider, say Godaddy certificate,
> how can I replace the existing certificate on both IPA servers? I found
> a relevant instruction at
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>,
> but that's about the "Dogtag" CA certificate, not about the third-party
> certificate I am using in our upcoming production environment(running
> IPA 4.2 on RHEL7).
>
Hi,
if you plan to use another CA (for instance switch from Verisign to
Godaddy), you will need first to install the new CA certificate with
ipa-cacert-manage install and ipa-certupdate. The instructions are in
30.4 Manual CA Certificate Installation [1].
Then, if you want to change the HTTP and LDAP certificates for your
server, you can use the ipa-server-certinstall utility [2].
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities
Hope this helps,
Flo.
> Please advise. Thank you!
> Beeth
More information about the Freeipa-users
mailing list