On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> j...@use.startmail.com wrote:
>> About a year ago I installed my freeipa server with certificates from
>> startssl using command line options --dirsrv-cert-file --http-cert-file
>> The certificate is about to expire, what is the proper way to update it
>> in all places?
> It depends on whether you kept the original CSR or not. If you kept the
> original CSR and are just renewing the certificate(s) then when you get
> the new one, use certutil to add the updated cert to the appropriate NSS
> database like:
> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
Thank you, that worked just fine, except that I had to update an intermediate
certificate as well.
Two questions, please:
1. I noticed a strange discrepancy in behavior between /etc/httpd/alias and
In both places original intermediate certificate is listed with empty ",,"
trust attributes so I initially added new intermediate certificate with empty
attributes as well.
certutils -V showed valid certificate in /etc/httpd/alias and not trusted in
/etc/dirsrv/slapd-domain so I had to modify intermediate certificate with -t
2. Just out of curiosity I wanted to list private keys and is prompted for a
# certutil -K -d /etc/httpd/alias/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
Enter Password or Pin for "NSS Certificate DB":
Which one of the many provided by a user passwords is used by
ipa-server-install command during NSS database initialization?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project