-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/27/2013 11:11 AM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> >> >> On 11/25/2013 11:09 AM, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: >>>> Folks just wanted to touch base again before the American >>>> holiday season starts. My CA, which is subordinate to AD CS >>>> will be expiring on December 9th, I submitted a bug, y'all >>>> drew up docs etc for a plan (thanks). Now I just wanted to >>>> see how it was going and if need be what manual steps I will >>>> need to take to renew the certificate. >>>> >>>> Thanks again for the great work, >>> >>> We're working on an a set of tools to make this easier. For >>> now I've appended some manual instructions onto a page still >>> in progress. >>> >>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0 >>> >>> >>> >>> >>> >>> Some parts may be still be a little rough or hard to understand. >>> Let me know if you have any problems or corrections. >>> >>> rob >> >> Rob, >> >> Thanks for the instructions, a few questions. >> >> What sort of interruption in service could this create? > > Services will be restarted during this process including your > LDAP, Apache and CA instances. Downtime should be relatively short, > no more than a few minutes combined. > >> Can you expand on this section a little bit: Replace the value of >> ca.signing.cert in /etc/pki-ca/CS.cfg. This is the base64 value >> of the certificate. You can obtain this by removing the BEGIN/END >> blocks from ipa.crt and compressing it into a single line. > > A PEM cert looks like: > > -----BEGIN CERTIFICATE----- > MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB > IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw > MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0 > aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA > DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4 > KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l > ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw > DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD > gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt > yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe > eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA= -----END > CERTIFICATE----- > > You need to drop the BEGIN/END blocks then combine all the lines > into a single line, so you have a unified base64 blog. It will look > like: > > ca.signing.cert=MII...B0DGohV1BeTA= > > I was afraid wrapping woudl destroy my demonstration so I used > ellipses instead. > >> Thanks and happy Thanksgiving, > > You're welcome. You too. > > rob >
Ok I have done the steps as outlined. One small suggestion and one question came up. Suggestion: for the ldapmodify command indicate that a ctl-d is necessary to end input. Most folks will know this, but some may not. For the client section you have me copy the newly signed subordnate CA certificate into /etc/ipa/ca.crt. However, on my hosts that was actually a copy of the AD CS certificate, not the subordinate certificate. In the case of a subordinate installation do you want the root or the subordinate CA? It would seem that the root would be broader, but I just want to make sure. - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQEcBAEBAgAGBQJSnimlAAoJENetaK3v/E7PojIH/1O8r4O6BRs87ZXpnkE8wqPS Ym6wIRIZDl+H4tAr/QCrJKdIXG40wGQEQfvyE28voEgNFnRTIN0OHdflSyNlLIKK +yMqEfjotLuepsv2GiJS7JcaoEo3cSTBU/OMGWxXnNXwiuqD6MQZoTh9sMOYJM+f IC2hPQHx4HPPXn20nwI2YXbvukPMm2igy7mpgqQqn0roKNCaxr0HSX0bY5i9Xjtq 8PTIV2tHeqkv+bCj57ZT8/80CPX+pXfBFN+aD0/9+xgsLoD1lZTqo0+Vt6mq+9Ex 00DIpdYAweTNAELWgcb3JtSjH9vDs3IyqQ2SlTEOo6T5PpUnEX3r9FxQE/G1gtc= =1nY9 -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
