[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)
Florence Blanc-Renaud
flo at redhat.com
Thu Oct 20 06:22:01 UTC 2016
On 10/20/2016 05:05 AM, beeth beeth wrote:
> First of all, thanks for the quick response Florence!
>
> I have question about your suggested step [1] and [2]:
> For [1], "ipa-cacert-manage install cert.pem". Which certificate is
> this? Is it the ChainBundle cert(root cert + intermediate cert)?
> For [2], "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
> certificate is this pkcs12.p12? Is it the Server cert?
>
> Here's exactly what I ran initially to install the IPA server with the
> Verisign certs, by following your suggestion last time(at the Admin
> manual 2.3.6. Installing Without a CA), and it worked well:
>
> # ipa-server-install --http-cert-file ServerCertificate.crt
> --http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
> --dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
> ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
> ChainBundle2.crt
>
> So, basically the installation requested 3 items: the server
> key(ipaserver1.encrypted.key), the server certificate from
> Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
> Verisign(ChainBundle2.crt).
> Now let's say such Verisign certificate expires, and I want to replace
> the certs from GoDaddy(another public cert provider), I assume a new set
> of certs, including the new key, the new server cert, and the new Chain
> cert(root+intermediate), total 3 items, will need to be included in the
> commands for the third party certificate replacement.
> The steps [1] and [2] only show two inputs, so I am not sure what I have
> been missing.
>
Hi,
Sorry if I was not clear enough. The first step (ipa-cacert-manage
install) aims at adding the CA certificate thus the root+intermediate
certs should be provided.
The step with ipa-server-certinstall configures the Server Cert (-d if
you want to replace the LDAP cert, -w for HTTP cert), meaning that the
Server-Cert and key should be provided. The man page details all the
supported formats, and it is possible to provide multiple files.
Hope this clarifies,
Flo.
> Please advise the detail. Thanks again!
> Beeth
>
>
> On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>> wrote:
>
> On 10/19/2016 05:23 PM, beeth beeth wrote:
>
> I once asked about Install IPA servers with certificate provided by
> third-party like
> Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
> <https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>
> <https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
> <https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>>).
> Florence, Rob and Jakub from Redhat had been very helpful, and
> pointed
> out the solution at
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>>,
> about "Installing Without a CA", and it worked great!
>
> Now it came up another problem, is that the Verisign(or any other
> certificate) will expire in a year or two, how can I smoothly
> renew the
> Verisign certificate on the primary and replica IPA servers a
> year from
> now? Or if we decide to use another provider, say Godaddy
> certificate,
> how can I replace the existing certificate on both IPA servers?
> I found
> a relevant instruction at
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>>,
> but that's about the "Dogtag" CA certificate, not about the
> third-party
> certificate I am using in our upcoming production
> environment(running
> IPA 4.2 on RHEL7).
>
> Hi,
>
> if you plan to use another CA (for instance switch from Verisign to
> Godaddy), you will need first to install the new CA certificate with
> ipa-cacert-manage install and ipa-certupdate. The instructions are
> in 30.4 Manual CA Certificate Installation [1].
>
> Then, if you want to change the HTTP and LDAP certificates for your
> server, you can use the ipa-server-certinstall utility [2].
>
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install>
>
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities>
>
> Hope this helps,
> Flo.
>
>
> Please advise. Thank you!
> Beeth
>
>
>
More information about the Freeipa-users
mailing list