Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 11/25/2013 11:09 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
Folks just wanted to touch base again before the American holiday
season starts. My CA, which is subordinate to AD CS will be
expiring on December 9th, I submitted a bug, y'all drew up docs
etc for a plan (thanks). Now I just wanted to see how it was
going and if need be what manual steps I will need to take to
renew the certificate.

Thanks again for the great work,

We're working on an a set of tools to make this easier. For now
I've appended some manual instructions onto a page still in
progress.

http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0



Some parts may be still be a little rough or hard to understand.
Let me know if you have any problems or corrections.

rob

Rob,

Thanks for the instructions, a few questions.

What sort of interruption in service could this create?

Services will be restarted during this process including your LDAP, Apache and CA instances. Downtime should be relatively short, no more than a few minutes combined.

Can you expand on this section a little bit:
Replace the value of ca.signing.cert in /etc/pki-ca/CS.cfg. This is
the base64 value of the certificate. You can obtain this by removing
the BEGIN/END blocks from ipa.crt and compressing it into a single line.

A PEM cert looks like:

-----BEGIN CERTIFICATE-----
MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB
IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw
MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0
aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA
DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4
KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l
ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD
gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt
yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe
eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA=
-----END CERTIFICATE-----

You need to drop the BEGIN/END blocks then combine all the lines into a single line, so you have a unified base64 blog. It will look like:

ca.signing.cert=MII...B0DGohV1BeTA=

I was afraid wrapping woudl destroy my demonstration so I used ellipses instead.

Thanks and happy Thanksgiving,

You're welcome. You too.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to