On Thu, Aug 17, 2017 at 01:14:00PM +0800, Alka Murali via FreeIPA-users wrote: > Hi Fraser, > > Thanks for the reply. > > However I have both my IPA CA and third party CA, where IPA CA is self > signed and third party CA Signed by DigiCert. So if my SSL certificate is > going to expire next month, all that I need to do is to execute 'certutil > -A" alone? > That's correct (or use `ipa-server-certinstall` to do the same thing).
> I have installed FreeIPA Server with default CA Provided by IPA > (Self-Signed). Later I have installed my Third Party SSL On top of it. Now > my SSL is going to expire next month. So is ''certutil -A" needed for the > new certificate to get used by IPA? > Yes, you need to put the new certificate in the application's NSSDB, then restart the application (httpd and/or dirsrv) so that it is using the new certificate. Clients will already trust the Digicert CA so no other action should be required. Cheers, Fraser > Thanks and Regards, > Alka Murali > > On Thu, Aug 17, 2017 at 1:06 PM, Fraser Tweedale <[email protected]> > wrote: > > > On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users > > wrote: > > > Hello, > > > > > > I am using the embedded CA For FreeIPA as well as external CA Signed by > > > Digicert. However, the certificate will be expiring next month. > > > > > > After renewal, do I need to install the certificate again using the same > > > steps mentioned within the link > > > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > > > > > Similarly how will I be able to update the new certificate in my IPA > > > Clients too. Do I need to follow the steps below on all IPA Clients? > > > > > > ----- > > > > > > certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt > > > > > > cp ipa.crt /etc/ipa/ca.crt > > > > > > ------- > > > > > > Can you please brief up the exact procedure to follow for the third party > > > SSL cert renewal. > > > > > > Thanks and Regards, > > > > > > Alka Murali > > > > > Hi Alka, > > > > For **service certificates** use `ipa-server-certinstall` or > > `certutil -A` to update the certificate(s) on the server(s). > > No action is required on clients. > > > > For **CA certificates** ... is your IPA CA certificate really signed > > by Digicert? If so, use `ipa-cacert-manage install` to install the > > new CA certificate. This only needs to be done on one master. Then > > run `ipa-certupdate` on masters and clients to force an immediate > > refresh of the CA certificates on those hosts. > > > > Cheers, > > Fraser > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
