Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/27/2013 11:11 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1



On 11/25/2013 11:09 AM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
Folks just wanted to touch base again before the American
holiday season starts. My CA, which is subordinate to AD CS
will be expiring on December 9th, I submitted a bug, y'all
drew up docs etc for a plan (thanks). Now I just wanted to
see how it was going and if need be what manual steps I will
need to take to renew the certificate.

Thanks again for the great work,

We're working on an a set of tools to make this easier. For
now I've appended some manual instructions onto a page still
in progress.

http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Manual_Procedure_in_IPA_3.0






Some parts may be still be a little rough or hard to understand.
Let me know if you have any problems or corrections.

rob

Rob,

Thanks for the instructions, a few questions.

What sort of interruption in service could this create?

Services will be restarted during this process including your
LDAP, Apache and CA instances. Downtime should be relatively short,
no more than a few minutes combined.

Can you expand on this section a little bit: Replace the value of
ca.signing.cert in /etc/pki-ca/CS.cfg. This is the base64 value
of the certificate. You can obtain this by removing the BEGIN/END
blocks from ipa.crt and compressing it into a single line.

A PEM cert looks like:

-----BEGIN CERTIFICATE-----
MIIB/zCCAWigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBB
IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDIyMzIyMzMxNVoXDTIw
MDIyMzIyMzMxNVowKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0
aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+G6ultyLaXqzBlypA
DnOsinkMTlZZssTFQh/QUMi1F1fcn8QUlmsl9a+l6w6hfZm7P8z3sVwsjLQcDWA4
KxOh+LmIsNL4OKx4wKF1q/pSt1PATRU5Pgu2+3wlwJO0H7cl4QfavoOLwmxAZf/l
ZNIy/5czvSWFWj7EJj16ty9BeQIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcw
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAsQwDQYJKoZIhvcNAQEFBQAD
gYEAl0gIshwNkhyfNe1XMLswPeOgH5YN1BUuKXzbv1fuSIkArjwLODr4cOdXzQvt
yaiX6Z+pRC/sK8MgLhPxV2X9QVQdzKfLkVGIdboCt1j3EXxSUCZeIuSKouitkWYe
eSH9DQkYDp/oKgANLWnY7CNorPz6xQktp1pB0DGohV1BeTA= -----END
CERTIFICATE-----

You need to drop the BEGIN/END blocks then combine all the lines
into a single line, so you have a unified base64 blog. It will look
like:

ca.signing.cert=MII...B0DGohV1BeTA=

I was afraid wrapping woudl destroy my demonstration so I used
ellipses instead.

Thanks and happy Thanksgiving,

You're welcome. You too.

rob


Ok I have done the steps as outlined. One small suggestion and one
question came up.

Suggestion: for the ldapmodify command indicate that a ctl-d is
necessary to end input. Most folks will know this, but some may not.

For the client section you have me copy the newly signed subordnate CA
certificate into /etc/ipa/ca.crt. However, on my hosts that was
actually a copy of the AD CS certificate, not the subordinate
certificate. In the case of a subordinate installation do you want the
root or the subordinate CA? It would seem that the root would be
broader, but I just want to make sure.


The IPA CA cert should be sufficient.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to