Hi Josh,

depending on your IPA version, you may consider using ipa-server-certinstall and ipa-certupdate.


ipa-server-certinstall can be used to install a new certificate for Apache/LDAP servers, and ipa-certupdate to update the NSS DBs with the CA certificates found in the LDAP server.

Flo.

On 08/09/2016 05:48 PM, Josh wrote:
Rob,

One must also update /etc/ipa/nssdb the same way, otherwise ipa cli tool
gets SEC_ERROR_UNTRUSTED_ISSUER !

It would be nice to have an IPA tool  to update all certificates in all
required places.

Also, why would I need to add CA that already in system ca-trust to the
private IPA nssdb?

Josh.


On 06/28/2016 10:50 AM, Rob Crittenden wrote:
j...@use.startmail.com wrote:
Greetings,

About a year ago I installed my freeipa server with certificates from
startssl using command line options --dirsrv-cert-file --http-cert-file
etc.
The certificate is about to expire, what is the proper way to update it
in all places?

It depends on whether you kept the original CSR or not. If you kept
the original CSR and are just renewing the certificate(s) then when
you get the new one, use certutil to add the updated cert to the
appropriate NSS database like:

# certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i
/path/to/new.crt

If you need to generate a new CSR then you can use
ipa-server-certinstall to install the updated key and crt files.

In either case probably worth backing up /etc/httpd/alias/*.db and
/etc/dirsrv/slapd-INSTANCE/*.db.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to