On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users wrote:
Hello,
Hope you are doing good. I have a question regarding freeIPA host
certificates.
We are using FreeIPA as our LDAP. We have some certificates for hosts ex
:- http/uat.com <http://uat.com>.
And we deploying the certs in Haproxy in PEM format.
But the certificates for this host has been expired.
Can you please let me know in detail how to renew my expired
certificates for the hosts. Please provide me the commands and steps.
Hi,
from your description I understand that you are referring to
certificates delivered by IPA CA for one of the IPA-enrolled hosts, but
not the master's Server-Cert used for IPA Web GUI.
In this case, how did you obtain the certificate? If you used a method
similar to what is described in this wiki [1], the certificate should be
monitored by certmonger and automatically renewed.
If you followed instead this wiki [2], the certificate is not tracked by
certmonger and needs to be manually renewed. You need to do the
following, assuming that the cert is in a NSS database $NSSDB on the IPA
client:
- find the key nickname
# certutil -K -d $NSSDB
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS Certificate
DB:Server-Cert
(note the key nickname for the next command)
- create a new certificate request that will re-use the existing key
(replace DOMAIN.COM with your IPA domain, in uppercase):
# certutil -R -d $NSSDB -k "NSS Certificate DB:Server-Cert" -s
cn=`hostname,O=DOMAIN.COM" -a -o /tmp/cert.csr
Enter Password or Pin for "NSS Certificate DB":
- request a certificate using the new certificate request
# kinit admin
# ipa cert-request --principal=HTTP/`hostname` /tmp/web.csr
(the output will display a Serial Number that needs to be noted for the
next command)
- remove the previous cert from the NSS database:
# certutil -D -d $NSSDB -n Server-Cert
- export the certificate to a file, then import the certificate in the
NSS database:
# ipa cert-show $SERIAL_NUMBER --out=/tmp/server.crt
# certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i /tmp/server.crt
HTH,
flo
[1]
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger
[2] https://www.freeipa.org/page/PKI#Manual_certificate_requests
FreeIPA, version: 4.2.0
Thanks & Regards,
Azeem
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
