[Freeipa-users] updating certificates
Florence Blanc-Renaud
flo at redhat.com
Wed Jan 4 09:09:28 UTC 2017
On 12/24/2016 01:58 AM, Josh wrote:
> Hi Rob,
>
> I'd like to really clarify renew certificate process. I can successfully
> update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but
> any new ipa client gets expired certificate still present someplace in
> LDAP. I was trying to use ipa-server-certinstall, described in
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/third-party-certs-http-ldap.html
> but document does not cover the case where intermediate certificate is
> required.
Hi Josh,
if the HTTP and LDAP certificates were signed by an intermediate CA,
then you need to install both the root CA and the intermediate CA with
ipa-cacert-manage install:
1/ install the root CA (if not already done)
ipa-cacert-manage install rootcert.pem
ipa-certupdate (on all the servers and clients)
2/ install the intermediate CA (if not already done)
ipa-cacert-manage install intermediatecert.pem
ipa-certupdate (on all the servers and clients)
3/ install the HTTP and LDAP certificates
ipa-server-certinstall ...
HTH,
Flo
>
> Josh.
>
> On 07/11/2016 10:10 AM, Rob Crittenden wrote:
>> jcnt at use.startmail.com wrote:
>>> On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden
>>> <rcritten at redhat.com> wrote:
>>>> jcnt at use.startmail.com wrote:
>>>>> Greetings,
>>>>>
>>>>> About a year ago I installed my freeipa server with certificates from
>>>>> startssl using command line options --dirsrv-cert-file
>>>>> --http-cert-file
>>>>> etc.
>>>>> The certificate is about to expire, what is the proper way to
>>>>> update it
>>>>> in all places?
>>>>
>>>> It depends on whether you kept the original CSR or not. If you kept the
>>>> original CSR and are just renewing the certificate(s) then when you get
>>>> the new one, use certutil to add the updated cert to the appropriate
>>>> NSS
>>>> database like:
>>>>
>>>> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
>>>> /path/to/new.crt
>>>>
>>>
>>> Rob,
>>>
>>> Thank you, that worked just fine, except that I had to update an
>>> intermediate certificate as well.
>>>
>>> Two questions, please:
>>>
>>> 1. I noticed a strange discrepancy in behavior between
>>> /etc/httpd/alias and /etc/dirsrv/slapd-domain.
>>> In both places original intermediate certificate is listed with empty
>>> ",," trust attributes so I initially added new intermediate
>>> certificate with empty attributes as well.
>>> certutils -V showed valid certificate in /etc/httpd/alias and not
>>> trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate
>>> certificate with -t "C,,"
>>
>> Hmm, not sure. Did the CA chain change in between the issuance of the
>> two certs?
>>
>> Adding a new certificate shouldn't affect the trust of any other certs
>> so I'm not sure what happened. It could be that those subordinate CAs
>> were loaded the first time incorrectly but weren't used so it wasn't
>> noticed, I'm not really sure.
>>
>>> 2. Just out of curiosity I wanted to list private keys and is
>>> prompted for a password:
>>> # certutil -K -d /etc/httpd/alias/
>>> certutil: Checking token "NSS Certificate DB" in slot "NSS User
>>> Private Key and Certificate Services"
>>> Enter Password or Pin for "NSS Certificate DB":
>>>
>>> Which one of the many provided by a user passwords is used by
>>> ipa-server-install command during NSS database initialization?
>>
>> In each NSS directory there is a pwdfile.txt which contains the PIN
>> for the internal token. You can add -f /etc/httpd/alias/pwdfile.txt to
>> your command to list the private keys.
>>
>> rob
>
More information about the Freeipa-users
mailing list