Peter Pakos wrote: > On 15/01/2016 15:04, Rob Crittenden wrote: >> Discussed in IRC last night but for the sake of history, he needed to >> add the CA's to the dogtag NSS database in >> /var/lib/pki/pki-tomcat/alias/ with a trust of C,,. > > Yes, I added new root certificates to /etc/pki/pki-tomcat/alias and I > was able to start all services. > > I've noticed that ipa-certupdate command removes them and we're back to > square one. Why is it doing this? Which database is it retrieving > certificates from?
>From LDAP. It is dropping current certs and replacing them with those in the NSS database. > I've re-run ipa-certupdate in verbose mode and I could see that it > removes all certificates in different databases (/etc/httpd/alias, > /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart > from /etc/pki/pki-tomcat/alias). Yup, looks like this part is missing. Perhaps the assumption was that the CA would be authoritative in this regard. > Also, what is the correct process for renewing 3rd party certificate? > Will it be pushed automatically to all servers/clients? I don't want to > be in trouble when it comes to renewing it. There are two things here: the server certificates and the CA certificates. In both cases you are on your own in doing this for now, you won't get any notification of impending expiration unless your issuing CA tells you. For the server certificates renewal depends on your CA but usually involves resubmitting the original CSR and getting an updated certificate. You then take that to your IPA servers and install that updated certificate. You should be able to do this with certutil. This only affects the IPA masters. Updating the CA certs you'd want to add them to LDAP, replacing the older ones, and then ipa-certupdate will do the rest. You'd need to run this on all clients and servers. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project