On 10/19/2016 05:23 PM, beeth beeth wrote:
I once asked about Install IPA servers with certificate provided by
third-party like
Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
<https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>).
Florence, Rob and Jakub from Redhat had been very helpful, and pointed
out the solution at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>,
about "Installing Without a CA", and it worked great!

Now it came up another problem, is that the Verisign(or any other
certificate) will expire in a year or two, how can I smoothly renew the
Verisign certificate on the primary and replica IPA servers a year from
now? Or if we decide to use another provider, say Godaddy certificate,
how can I replace the existing certificate on both IPA servers? I found
a relevant instruction at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>,
but that's about the "Dogtag" CA certificate, not about the third-party
certificate I am using in our upcoming production environment(running
IPA 4.2 on RHEL7).

Hi,

if you plan to use another CA (for instance switch from Verisign to Godaddy), you will need first to install the new CA certificate with ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4 Manual CA Certificate Installation [1].

Then, if you want to change the HTTP and LDAP certificates for your server, you can use the ipa-server-certinstall utility [2].

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install

[2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities

Hope this helps,
Flo.

Please advise. Thank you!
Beeth

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to