[Spacewalk-list] Renewing Third-Party CA SSL Certificate with FQDN
Robert Paschedag
robert.paschedag at web.de
Wed Oct 28 07:01:25 UTC 2015
As long as the root CA did NOT change, your steps should work and no client need to update anything.
You don't need to clear the jabber db.
Regards
RobertAm 28.10.2015 3:14 vorm. schrieb Jun <junk at mle.org>:
>
> Hoping someone can offer some advice on the following situation.
>
> Have an internal spacewalk 2.2 server that is using a third-party CA
> certificate (not an internal CA)
> * The CSR used for the current ssl certificate specified the CN with
> the short hostname (not FQDN). For example, if hostname =
> myserver.domain.com, CN = myserver
> * The ssl certificate is expiring.
> * The third-party CA is no longer issuing ssl certificates for short hostnames
>
> Would like to use the same CA and minimize impact.
>
> Would something like this be sufficient; if not, appreciate any suggestions:
> * manually generate a new CSR with CN with fully qualified hostname
> using the existing server key
> * submit CSR to same third-party CA
> * backup /etc/httpd/conf/ssl.*, /etc/pki, /root/ssl-build,
> /var/www/html/pub, jabberd/server.pem
> install new third-party CA ssl certificate:
> During maintenance:
> * replace a copy of the new ssl certificate (.crt) and .csr in Apache
> directories
> * convert crt to pem and update /etc/pki/spacewalk/jabberd/server.pem
> * stop spacewalk
> * clear jabber database
> * start spacewalk
>
> Hoping the clients do not have to be updated (i.e.
> /etc/sysconfig/rhn/up2date or RHN-ORG-TRUSTED-SSL-CERT)
> Appears they are referencing the shortname (but the domain being used
> is in the dns search order)
>
> Thank you for your advice.
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list