[Freeipa-users] section 2.3.6. Installing Without a CA - then how to update expired certificates in LDAP?

Florence Blanc-Renaud flo at redhat.com
Mon Jan 2 09:23:34 UTC 2017 

On 12/24/2016 05:54 AM, Josh wrote:
> I discussed this problem once before and got partial answers but I would
> like to finally resolve it.
>
> Scenario:
>
> 1. Install IPA without a CA, according to section 2.3.6 as of now in
> latest RHEL7 Linux Domain Identity, Authentication and Policy Guide.
> 2. Install a client and note certificates it receives from IPA LDAP.
> 3. Near expiration term obtain a new set of certificates (server and
> intermediate), note that intermediate certificate common name has changed.
> 4. run "ipa-server-certinstall -d -w key cert" to update all
> certificates. command asks for directory manager password, I suppose it
> should update its contents but
> 5. Install another client and observe that it receives original
> certificates and no ipa command works.
> 6. ipa-certupdate, when run, pulls original set from LDAP as if nothing
> was updated.
>
> Workaround is to manually install new intermediate certificate on all
> systems /etc/ipa/nssdb by
> certutil -d /etc/ipa/nssdb/ -A -n "StartCom Class 1 DV Server CA -
> StartCom Ltd." -t C,, -i /tmp/1_Intermediate.crt
>
> In LDAP under cn=certificates,cn=ipa,cn=etc,dc=example,dc=org I still
> see previous version of intermediate certificate with a different common
> name:
> StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital
> Certificate Signing,O=StartCom Ltd.,C=IL
>
> Please help me replace it by any means.
>
> Best Regards,
> Josh.
>
Hi Josh,

As you write that "intermediate certificate common name has changed", I 
assume that the intermediate CA providing the new server certificates is 
different. In this case, the command ipa-cacert-manage install must be 
run to install the new intermediate CA *before* ipa-server-certinstall 
is run to install the new server certificates.

Please refer to Installing a CA Certificate Manually [1] or Using 3rd 
part certificates for HTTP/LDAP [2]. Do not forget to run ipa-certupdate 
on all the IPA servers/clients in order to install the new intermediate 
CA cert.

HTH,
Flo.

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/manual-cert-install.html
[2] http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

More information about the Freeipa-users mailing list