On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
> j...@use.startmail.com wrote:
>> Greetings,
>>
>> About a year ago I installed my freeipa server with certificates from
>> startssl using command line options --dirsrv-cert-file --http-cert-file
>> etc.
>> The certificate is about to expire, what is the proper way to update it
>> in all places?
> 
> It depends on whether you kept the original CSR or not. If you kept the
> original CSR and are just renewing the certificate(s) then when you get
> the new one, use certutil to add the updated cert to the appropriate NSS
> database like:
> 
> # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
> /path/to/new.crt
> 

Rob,

Thank you, that worked just fine, except that I had to update an intermediate 
certificate as well.

Two questions, please:

1. I noticed a strange discrepancy in behavior between  /etc/httpd/alias and 
/etc/dirsrv/slapd-domain.
In both places original intermediate certificate is listed with empty ",," 
trust attributes so I initially added new intermediate certificate with empty 
attributes as well.
certutils -V showed valid certificate in /etc/httpd/alias and not trusted in 
/etc/dirsrv/slapd-domain so I had to modify intermediate certificate with -t 
"C,,"

2. Just out of curiosity I wanted to list private keys and is prompted for a 
password:
# certutil -K -d /etc/httpd/alias/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and 
Certificate Services"
Enter Password or Pin for "NSS Certificate DB":

Which one of the many provided by a user passwords is used by 
ipa-server-install command during NSS database initialization?

Josh.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to