Bonsoir
Le 18/10/2023 à 19:43, Rob Crittenden via FreeIPA-users a écrit :
Right, so ipa-ca-install did effectively replace the old CA, but you're
not done yet. As Flo points out, the HTTP and 389-ds (and who knows
about PKINIT) certs were issued by a 3rd party.
At this point in the thread I can't even remember which version of
RHEL/IPA you are running. I think it's RHEL 7 so here are some pointers
there.
Sorry if this thread is . You are right I am using Centos7
You should be able to use certmonger to get new certs but it will
involve some more manual effort.
See what your nicknames are before starting to ensure there is no conflict.
# certutil -L -d /etc/httpd/alias
# certutil -L -d /etc/dirsrv/slapd-REALM
I'm using the IPA-standard Server-Cert in these examples
# getcert request -d /etc/httpd/alias -n Server-Cert -p
/etc/httpd/alias/pwdfile.txt -D <IPA FQDN> -K HTTP/<IPA FQDN> -C
/usr/libexec/ipa/certmonger/restart_httpd -v -w
Assuming I didn't mess up the command and the request status goes into
MONITORING you can try switching to the new cert. Edit
/etc/httpd/conf.d/nss.conf and replace the value of NSSNickname with
Server-Cert. I'd save a copy of that value just in case so you need to
go back.
Restart Apache.
If all went well you now have an IPA-issued certificate for it.
For 389. Remember that REALM here replaces dots with dashes, so
EXAMPLE.TEST becomes EXAMPLE-TEST
# getcert request -d /etc/dirsrv/slapd-INSTANCE -n Server-Cert -p
/etc/dirsrv/slapd-INSTANCE/pwdfile.txt -D <IPA FQDN> -K ldap/<IPA FQDN>
-C "/usr/libexec/ipa/certmonger/restart_dirsrv REALM" -v -w
Once it issues stop the dirsrv service (important, don't forget)
Edit /etc/dirsrv/slapd-REALM/dse.ldif
Replace the value in nsSSLPersonalitySSL with Server-Cert
Restart dirsrv
Hopefully profit.
The old certificates will still be in the NSS database(s) if you need to
revert.
rob
I will try thoese commands and Florence's link
Thank you for your help
Regards,
Frederic
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
