Rob,
I don't think my response was sent correctly, so sending it again-apologies for
any duplicates. Also, for misspelling your name.
Bob,
I ran the command on the first IPA server (idm1) as:
ipa-getcert request -f /var/lib/ipa/certs/httpd.crt -k
/var/lib/ipa/private/httpd.key -p /var/lib/ipa/passwds/$HOSTNAME-443-RSA -D
idm1.xxx.xxx.edu -D idm1.xxx.xxx.edu -C
/usr/libexec/ipa/certmonger/restart_httpd -K HTTP/idm1.xxx.xxx.edu -v -w
It appears the command did not change the HTTP certificate on the IdM server.
The time stamps and content of /var/lib/ipa/certs/httpd.crt and
/var/lib/ipa/private/httpd.key are unchanged. Rather, the commercial cert is
now tracked by certmonger?:
~]# getcert list
....
Request ID '20211119173141':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/xxx.xxx.xxx.edu-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann
Arbor,ST=MI,C=US
subject:
CN=idm1.xxx.xxx.edu,OU=GPS,O=xxx,STREET=xxx,L=xxx,ST=xxx,postalCode=xxx,C=xxx
expires: 2022-01-02 15:59:59 PST
dns: idm1.xxx.xxx.edu
key usage: digitalSignature,keyEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
I was expecting that the HTTP service on idm1 would get a new cert from the IPA
self-signed CA, and then that would be tracked/renewed by certmonger.
Certmonger will be unable to auto-renew the commercial cert, so tracking that
is not useful.
-Scott
-----Original Message-----
From: Rob Crittenden <[email protected]>
Sent: Monday, November 15, 2021 11:04 AM
To: FreeIPA users list <[email protected]>
Cc: Dungan, Scott A. <[email protected]>
Subject: Re: [Freeipa-users] Revert web cert from 3rd party to internal ca
Dungan, Scott A. via FreeIPA-users wrote:
> Hi All
>
>
>
> After deploying FreeIPA with an embedded self-signed CA, the ipa
> servers were configured to use commercially signed, 3^rd party
> certificates for the HTTP service only. The directory server was left
> default. This was accomplished by importing the external CA and then
> the signed certificate, following the instructions on freeipa.org:
>
>
>
> ipa-cacert-manage -t C,, install InCommon_interm.cer
>
> ipa-certupdate
>
> ipa-server-certinstall --http /var/lib/ipa/private/httpd.key
> /var/lib/ipa/private/InCommon_signed.cer
>
> ipactl restart
>
>
>
> A commercially signed web certificate on the ipa servers is no longer
> required and we would like to revert back to using certificates from
> the freeipa self-signed CA. Is there a way to do so?
This will request a new certificate using certmonger which will replace the 3rd
party certificate and configure the renewal tracking. You may want to make a
copy of the 3rd party cert and key just in case.
ipa-getcert request -f /var/lib/ipa/certs/httpd.crt -k
/var/lib/ipa/private/httpd.key -p /var/lib/ipa/passwds/ipa.example.test-443-RSA
-D `hostname` -D ipa-ca.example.test -C
/usr/libexec/ipa/certmonger/restart_httpd -K HTTP/`hostname` -v -w
If you aren't using ACME you can skip the SAN for ipa-ca.example.test
Restart the httpd service once it is issued.
Adjust to your hostname/domain as needed.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
