[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

Florence Blanc-Renaud flo at redhat.com
Thu Oct 20 06:22:01 UTC 2016 

On 10/20/2016 05:05 AM, beeth beeth wrote:
> First of all, thanks for the quick response Florence!
>
> I have question about your suggested step [1] and [2]:
> For [1],  "ipa-cacert-manage install cert.pem". Which certificate is
> this? Is it the ChainBundle cert(root cert + intermediate cert)?
> For [2],  "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
> certificate is this pkcs12.p12? Is it the Server cert?
>
> Here's exactly what I ran initially to install the IPA server with the
> Verisign certs, by following your suggestion last time(at the Admin
> manual 2.3.6. Installing Without a CA), and it worked well:
>
> # ipa-server-install --http-cert-file ServerCertificate.crt
> --http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
> --dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
> ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
> ChainBundle2.crt
>
> So, basically the installation requested 3 items: the server
> key(ipaserver1.encrypted.key), the server certificate from
> Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
> Verisign(ChainBundle2.crt).
> Now let's say such Verisign certificate expires, and I want to replace
> the certs from GoDaddy(another public cert provider), I assume a new set
> of certs, including the new key, the new server cert, and the new Chain
> cert(root+intermediate), total 3 items, will need to be included in the
> commands for the third party certificate replacement.
> The steps [1] and [2] only show two inputs, so I am not sure what I have
> been missing.
>
Hi,

Sorry if I was not clear enough. The first step (ipa-cacert-manage 
install) aims at adding the CA certificate thus the root+intermediate 
certs should be provided.

The step with ipa-server-certinstall configures the Server Cert (-d if 
you want to replace the LDAP cert, -w for HTTP cert), meaning that the 
Server-Cert and key should be provided. The man page details all the 
supported formats, and it is possible to provide multiple files.

Hope this clarifies,
Flo.

> Please advise the detail. Thanks again!
> Beeth
>
>
> On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>> wrote:
>
>     On 10/19/2016 05:23 PM, beeth beeth wrote:
>
>         I once asked about Install IPA servers with certificate provided by
>         third-party like
>         Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
>         <https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>
>         <https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
>         <https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>>).
>         Florence, Rob and Jakub from Redhat had been very helpful, and
>         pointed
>         out the solution at
>         https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
>         <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
>         <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
>         <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>>,
>         about "Installing Without a CA", and it worked great!
>
>         Now it came up another problem, is that the Verisign(or any other
>         certificate) will expire in a year or two, how can I smoothly
>         renew the
>         Verisign certificate on the primary and replica IPA servers a
>         year from
>         now? Or if we decide to use another provider, say Godaddy
>         certificate,
>         how can I replace the existing certificate on both IPA servers?
>         I found
>         a relevant instruction at
>         https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
>         <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>
>         <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
>         <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>>,
>         but that's about the "Dogtag" CA certificate, not about the
>         third-party
>         certificate I am using in our upcoming production
>         environment(running
>         IPA 4.2 on RHEL7).
>
>     Hi,
>
>     if you plan to use another CA (for instance switch from Verisign to
>     Godaddy), you will need first to install the new CA certificate with
>     ipa-cacert-manage install and ipa-certupdate. The instructions are
>     in 30.4 Manual CA Certificate Installation [1].
>
>     Then, if you want to change the HTTP and LDAP certificates for your
>     server, you can use the ipa-server-certinstall utility [2].
>
>     [1]
>     https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install
>     <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install>
>
>     [2]
>     https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities
>     <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities>
>
>     Hope this helps,
>     Flo.
>
>
>         Please advise. Thank you!
>         Beeth
>
>
>

More information about the Freeipa-users mailing list