On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users wrote: > Hello, > > I am using the embedded CA For FreeIPA as well as external CA Signed by > Digicert. However, the certificate will be expiring next month. > > After renewal, do I need to install the certificate again using the same > steps mentioned within the link > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > Similarly how will I be able to update the new certificate in my IPA > Clients too. Do I need to follow the steps below on all IPA Clients? > > ----- > > certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt > > cp ipa.crt /etc/ipa/ca.crt > > ------- > > Can you please brief up the exact procedure to follow for the third party > SSL cert renewal. > > Thanks and Regards, > > Alka Murali > Hi Alka,
For **service certificates** use `ipa-server-certinstall` or `certutil -A` to update the certificate(s) on the server(s). No action is required on clients. For **CA certificates** ... is your IPA CA certificate really signed by Digicert? If so, use `ipa-cacert-manage install` to install the new CA certificate. This only needs to be done on one master. Then run `ipa-certupdate` on masters and clients to force an immediate refresh of the CA certificates on those hosts. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
