On 13/07/15 16:05, Janelle wrote:
Good morning,

I was wondering, I install my servers with the self-signed certs. Now my
management wants me to use official certificates. Is there an
easy/recommended way to swap out all the certificates on all the
servers? Especially with 16 servers, just trying to figure out if this
is something I could script with PSSH or similar in order to do them all
at once. Does it matter the order?

Thank you
~Janelle


Hello!

Yes, there is an easy way:
1.Run "ipa-cacert-manage renew --external-ca" on one of CA masters (first ipa-server installed or any replica installed with --setup-ca).
This will generate csr you need to get signed by your CA.

2. Then run "ipa-cacert-manage renew --external-cert-file <signed certificate> --external-cert-file <your ca certificate>"
This will update the IPA CA certificate in LDAP.

3. Then you need to run "ipa-certupdate" on all ipa servers and clients to distribute the new certificate.

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to