-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/27/2013 11:11 AM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> 
>> 
>> On 11/25/2013 11:09 AM, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> Folks just wanted to touch base again before the American
>>>> holiday season starts. My CA, which is subordinate to AD CS
>>>> will be expiring on December 9th, I submitted a bug, y'all
>>>> drew up docs etc for a plan (thanks). Now I just wanted to
>>>> see how it was going and if need be what manual steps I will
>>>> need to take to renew the certificate.
>>>> 
>>>> Thanks again for the great work,
>>> 
>>> We're working on an a set of tools to make this easier. For
>>> now I've appended some manual instructions onto a page still
>>> in progress.
>>> 
>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0
>>>
>>>
>>>
>>>
>>>
>>> 
Some parts may be still be a little rough or hard to understand.
>>> Let me know if you have any problems or corrections.
>>> 
>>> rob
>> 
>> Rob,
>> 
>> Thanks for the instructions, a few questions.
>> 
>> What sort of interruption in service could this create?
> 
> Services will be restarted during this process including your
> LDAP, Apache and CA instances. Downtime should be relatively short,
> no more than a few minutes combined.
> 
>> Can you expand on this section a little bit: Replace the value of
>> ca.signing.cert in /etc/pki-ca/CS.cfg. This is the base64 value
>> of the certificate. You can obtain this by removing the BEGIN/END
>> blocks from ipa.crt and compressing it into a single line.
> 
> A PEM cert looks like:
> 
> -----BEGIN CERTIFICATE----- 
> MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB 
> IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw 
> MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0 
> aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA 
> DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4 
> KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l 
> ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw 
> DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD 
> gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt 
> yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe 
> eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA= -----END
> CERTIFICATE-----
> 
> You need to drop the BEGIN/END blocks then combine all the lines
> into a single line, so you have a unified base64 blog. It will look
> like:
> 
> ca.signing.cert=MII...B0DGohV1BeTA=
> 
> I was afraid wrapping woudl destroy my demonstration so I used
> ellipses instead.
> 
>> Thanks and happy Thanksgiving,
> 
> You're welcome. You too.
> 
> rob
> 

Ok I have done the steps as outlined. One small suggestion and one
question came up.

Suggestion: for the ldapmodify command indicate that a ctl-d is
necessary to end input. Most folks will know this, but some may not.

For the client section you have me copy the newly signed subordnate CA
certificate into /etc/ipa/ca.crt. However, on my hosts that was
actually a copy of the AD CS certificate, not the subordinate
certificate. In the case of a subordinate installation do you want the
root or the subordinate CA? It would seem that the root would be
broader, but I just want to make sure.

- -Erinn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEcBAEBAgAGBQJSnimlAAoJENetaK3v/E7PojIH/1O8r4O6BRs87ZXpnkE8wqPS
Ym6wIRIZDl+H4tAr/QCrJKdIXG40wGQEQfvyE28voEgNFnRTIN0OHdflSyNlLIKK
+yMqEfjotLuepsv2GiJS7JcaoEo3cSTBU/OMGWxXnNXwiuqD6MQZoTh9sMOYJM+f
IC2hPQHx4HPPXn20nwI2YXbvukPMm2igy7mpgqQqn0roKNCaxr0HSX0bY5i9Xjtq
8PTIV2tHeqkv+bCj57ZT8/80CPX+pXfBFN+aD0/9+xgsLoD1lZTqo0+Vt6mq+9Ex
00DIpdYAweTNAELWgcb3JtSjH9vDs3IyqQ2SlTEOo6T5PpUnEX3r9FxQE/G1gtc=
=1nY9
-----END PGP SIGNATURE-----

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to