First of all, thanks for the quick response Florence!

I have question about your suggested step [1] and [2]:
For [1],  "ipa-cacert-manage install cert.pem". Which certificate is this?
Is it the ChainBundle cert(root cert + intermediate cert)?
For [2],  "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
certificate is this pkcs12.p12? Is it the Server cert?

Here's exactly what I ran initially to install the IPA server with the
Verisign certs, by following your suggestion last time(at the Admin manual
2.3.6. Installing Without a CA), and it worked well:

# ipa-server-install --http-cert-file ServerCertificate.crt
--http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
--dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file

So, basically the installation requested 3 items: the server
key(ipaserver1.encrypted.key), the server certificate from
Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
Now let's say such Verisign certificate expires, and I want to replace the
certs from GoDaddy(another public cert provider), I assume a new set of
certs, including the new key, the new server cert, and the new Chain
cert(root+intermediate), total 3 items, will need to be included in the
commands for the third party certificate replacement.
The steps [1] and [2] only show two inputs, so I am not sure what I have
been missing.

Please advise the detail. Thanks again!

On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud <>

> On 10/19/2016 05:23 PM, beeth beeth wrote:
>> I once asked about Install IPA servers with certificate provided by
>> third-party like
>> Verisign(
>> September/msg00440.html
>> <
>> r/msg00440.html>).
>> Florence, Rob and Jakub from Redhat had been very helpful, and pointed
>> out the solution at
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-without-ca
>> <
>> prise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-without-ca>,
>> about "Installing Without a CA", and it worked great!
>> Now it came up another problem, is that the Verisign(or any other
>> certificate) will expire in a year or two, how can I smoothly renew the
>> Verisign certificate on the primary and replica IPA servers a year from
>> now? Or if we decide to use another provider, say Godaddy certificate,
>> how can I replace the existing certificate on both IPA servers? I found
>> a relevant instruction at
>> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
>> cation_and_Policy_Guide/index.html#auto-cert-renewal
>> <
>> prise_Linux/7/html-single/Linux_Domain_Identity_Authenti
>> cation_and_Policy_Guide/index.html#auto-cert-renewal>,
>> but that's about the "Dogtag" CA certificate, not about the third-party
>> certificate I am using in our upcoming production environment(running
>> IPA 4.2 on RHEL7).
>> Hi,
> if you plan to use another CA (for instance switch from Verisign to
> Godaddy), you will need first to install the new CA certificate with
> ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4
> Manual CA Certificate Installation [1].
> Then, if you want to change the HTTP and LDAP certificates for your
> server, you can use the ipa-server-certinstall utility [2].
> [1]
> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
> cation_and_Policy_Guide/index.html#manual-cert-install
> [2]
> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
> cation_and_Policy_Guide/index.html#Configuring_Certificates_
> and_Certificate_Authorities
> Hope this helps,
> Flo.
> Please advise. Thank you!
>> Beeth
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to