On Thu, Aug 17, 2017 at 01:14:00PM +0800, Alka Murali via FreeIPA-users wrote:
> Hi Fraser,
> 
> Thanks for the reply.
> 
> However I have both my IPA CA and third party CA, where IPA CA is self
> signed and third party CA Signed by DigiCert. So if my SSL certificate is
> going to expire next month, all that I need to do is to execute 'certutil
> -A" alone?
>
That's correct (or use `ipa-server-certinstall` to do the same thing).

> I have installed FreeIPA Server with default CA Provided by IPA
> (Self-Signed). Later I have installed my Third Party SSL On top of it. Now
> my SSL is going to expire next month. So is  ''certutil -A"  needed for the
> new certificate to get used by IPA?
> 
Yes, you need to put the new certificate in the application's NSSDB,
then restart the application (httpd and/or dirsrv) so that it is
using the new certificate.  Clients will already trust the Digicert
CA so no other action should be required.

Cheers,
Fraser

> Thanks and Regards,
> Alka Murali
> 
> On Thu, Aug 17, 2017 at 1:06 PM, Fraser Tweedale <ftwee...@redhat.com>
> wrote:
> 
> > On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users
> > wrote:
> > > Hello,
> > >
> > > I am using the embedded CA For FreeIPA as well as external CA Signed by
> > > Digicert. However, the certificate will be expiring next month.
> > >
> > > After renewal, do I need to install the certificate again using the same
> > > steps mentioned within  the link
> > > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> > >
> > > Similarly how will I be able to update the new certificate in my IPA
> > > Clients too. Do I need to follow the steps below on all IPA Clients?
> > >
> > > -----
> > >
> > > certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
> > >
> > > cp ipa.crt /etc/ipa/ca.crt
> > >
> > > -------
> > >
> > > Can you please brief up the exact procedure to follow for the third party
> > > SSL cert renewal.
> > >
> > > Thanks and Regards,
> > >
> > > Alka Murali
> > >
> > Hi Alka,
> >
> > For **service certificates** use `ipa-server-certinstall` or
> > `certutil -A` to update the certificate(s) on the server(s).
> > No action is required on clients.
> >
> > For **CA certificates** ... is your IPA CA certificate really signed
> > by Digicert?  If so, use `ipa-cacert-manage install` to install the
> > new CA certificate.  This only needs to be done on one master.  Then
> > run `ipa-certupdate` on masters and clients to force an immediate
> > refresh of the CA certificates on those hosts.
> >
> > Cheers,
> > Fraser
> >

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to