Can't believe that time is up already. The third-party signed certificate that I deployed my freeipa server with is about to expire. Our certificate signer has now set the minimum key length to 2048 bit, which means I have to re-key our primary freeipa SSL certificate. Before I install the new certificate, I was wondering what impact this will have on the other directory servers in my topology? I have one Active Directory domain controller performing AD sync. I have four domain controllers running password sync. I have one other freeipa replication server.

freeipa replica server
I assume that since the replication server has its own third-party signed SSL certificate installed, it will not be affected at all by installing a new certificate, since the certificate trust chain of the new freeipa master certificate will be the same as the old one (and the same as the cert used by the replication server).

AD Sync Agreement
I also do not expect any issues here, since the Certificate chain remains the same and is already trusted by the AD domain controller.

Passsync Domain Controllers
I am less sure about this one. Again, the certificate chain will remain the same, but I will probably need to replace the peer certificate in the DC's cert database. I plan on just using certutil to remove and import the new peer certificate.

Should I use ipa-server-certinstall to install the new certificate on the freeipa master, or should I just use certutil to remove and replace the existing server cert (making sure to use the same certificate friendly name)?

Freeipa-users mailing list

Reply via email to