On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users wrote:
> Hello,
> I am using the embedded CA For FreeIPA as well as external CA Signed by
> Digicert. However, the certificate will be expiring next month.
> After renewal, do I need to install the certificate again using the same
> steps mentioned within  the link
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> Similarly how will I be able to update the new certificate in my IPA
> Clients too. Do I need to follow the steps below on all IPA Clients?
> -----
> certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
> cp ipa.crt /etc/ipa/ca.crt
> -------
> Can you please brief up the exact procedure to follow for the third party
> SSL cert renewal.
> Thanks and Regards,
> Alka Murali
Hi Alka,

For **service certificates** use `ipa-server-certinstall` or
`certutil -A` to update the certificate(s) on the server(s).
No action is required on clients.

For **CA certificates** ... is your IPA CA certificate really signed
by Digicert?  If so, use `ipa-cacert-manage install` to install the
new CA certificate.  This only needs to be done on one master.  Then
run `ipa-certupdate` on masters and clients to force an immediate
refresh of the CA certificates on those hosts.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to