James Roman wrote:
Can't believe that time is up already. The third-party signed certificate that I deployed my freeipa server with is about to expire. Our certificate signer has now set the minimum key length to 2048 bit, which means I have to re-key our primary freeipa SSL certificate. Before I install the new certificate, I was wondering what impact this will have on the other directory servers in my topology? I have one Active Directory domain controller performing AD sync. I have four domain controllers running password sync. I have one other freeipa replication server.


As you point out, the chain is remaining the same, so I think you just need to replace this one expiring cert.


*freeipa replica server*
I assume that since the replication server has its own third-party signed SSL certificate installed, it will not be affected at all by installing a new certificate, since the certificate trust chain of the new freeipa master certificate will be the same as the old one (and the same as the cert used by the replication server).

Right, unless it is about to expire too!

*AD Sync Agreement*
I also do not expect any issues here, since the Certificate chain remains the same and is already trusted by the AD domain controller.

I agree.

*Passsync Domain Controllers*
I am less sure about this one. Again, the certificate chain will remain the same, but I will probably need to replace the peer certificate in the DC's cert database. I plan on just using certutil to remove and import the new peer certificate.

I don't think you need to do anything here. The passsync database just needs to trust the cert that DS is using. Since you are using the same CA I think you'll be fine.

Should I use ipa-server-certinstall to install the new certificate on the freeipa master, or should I just use certutil to remove and replace the existing server cert (making sure to use the same certificate friendly name)?

Either should work. ipa-server-certinstall assumes (perhaps poorly) that the PKCS#12 file you provide includes the CA chain as well, so be sure that is included.

If you are comfortable with certutil that is certainly an option. Where are you going to generate the CSR for this new cert?

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to