On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden <[email protected]> wrote: > [email protected] wrote: >> Greetings, >> >> About a year ago I installed my freeipa server with certificates from >> startssl using command line options --dirsrv-cert-file --http-cert-file >> etc. >> The certificate is about to expire, what is the proper way to update it >> in all places? > > It depends on whether you kept the original CSR or not. If you kept the > original CSR and are just renewing the certificate(s) then when you get > the new one, use certutil to add the updated cert to the appropriate NSS > database like: > > # certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i > /path/to/new.crt >
Rob, Thank you, that worked just fine, except that I had to update an intermediate certificate as well. Two questions, please: 1. I noticed a strange discrepancy in behavior between /etc/httpd/alias and /etc/dirsrv/slapd-domain. In both places original intermediate certificate is listed with empty ",," trust attributes so I initially added new intermediate certificate with empty attributes as well. certutils -V showed valid certificate in /etc/httpd/alias and not trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate certificate with -t "C,," 2. Just out of curiosity I wanted to list private keys and is prompted for a password: # certutil -K -d /etc/httpd/alias/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": Which one of the many provided by a user passwords is used by ipa-server-install command during NSS database initialization? Josh. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
