j...@use.startmail.com wrote:

About a year ago I installed my freeipa server with certificates from
startssl using command line options --dirsrv-cert-file --http-cert-file
The certificate is about to expire, what is the proper way to update it
in all places?

It depends on whether you kept the original CSR or not. If you kept the original CSR and are just renewing the certificate(s) then when you get the new one, use certutil to add the updated cert to the appropriate NSS database like:

# certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i /path/to/new.crt

If you need to generate a new CSR then you can use ipa-server-certinstall to install the updated key and crt files.

In either case probably worth backing up /etc/httpd/alias/*.db and /etc/dirsrv/slapd-INSTANCE/*.db.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to