Re: [Freeipa-users] Rekeying Third-party signed certificate

Wed, 04 Nov 2009 07:15:03 -0800 

James Roman wrote:
Can't believe that time is up already. The third-party signed certificate that I deployed my freeipa server with is about to expire. Our certificate signer has now set the minimum key length to 2048 bit, which means I have to re-key our primary freeipa SSL certificate. Before I install the new certificate, I was wondering what impact this will have on the other directory servers in my topology? I have one Active Directory domain controller performing AD sync. I have four domain controllers running password sync. I have one other freeipa replication server. 


As you point out, the chain is remaining the same, so I think you just 
need to replace this one expiring cert.




*freeipa replica server*

I assume that since the replication server has its own third-party 
signed SSL certificate installed, it will not be affected at all by 
installing a new certificate, since the certificate trust chain of the 
new freeipa master certificate will be the same as the old one (and the 
same as the cert used by the replication server).


Right, unless it is about to expire too!


*AD Sync Agreement*

I also do not expect any issues here, since the Certificate chain 
remains the same and is already trusted by the AD domain controller.


I agree.


*Passsync Domain Controllers*

I am less sure about this one. Again, the certificate chain will remain 
the same, but I will probably need to replace the peer certificate in 
the DC's cert database. I plan on just using certutil to remove and 
import the new peer certificate.



I don't think you need to do anything here. The passsync database just 
needs to trust the cert that DS is using. Since you are using the same 
CA I think you'll be fine.



Should I use ipa-server-certinstall to install the new certificate on 
the freeipa master, or should I just use certutil to remove and replace 
the existing server cert (making sure to use the same certificate 
friendly name)?



Either should work. ipa-server-certinstall assumes (perhaps poorly) that 
the PKCS#12 file you provide includes the CA chain as well, so be sure 
that is included.



If you are comfortable with certutil that is certainly an option. Where 
are you going to generate the CSR for this new cert?


rob



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





















					Reply via email to