On 12/24/2016 01:58 AM, Josh wrote:
Hi Rob,

I'd like to really clarify renew certificate process. I can successfully
update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but
any new ipa client gets expired certificate still present someplace in
LDAP. I was trying to use ipa-server-certinstall, described in
but document does not cover the case where intermediate certificate is
Hi Josh,

if the HTTP and LDAP certificates were signed by an intermediate CA, then you need to install both the root CA and the intermediate CA with ipa-cacert-manage install:

1/ install the root CA (if not already done)
ipa-cacert-manage install rootcert.pem
ipa-certupdate (on all the servers and clients)

2/ install the intermediate CA (if not already done)
ipa-cacert-manage install intermediatecert.pem
ipa-certupdate (on all the servers and clients)

3/ install the HTTP and LDAP certificates
ipa-server-certinstall ...



On 07/11/2016 10:10 AM, Rob Crittenden wrote:
j...@use.startmail.com wrote:
On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden
<rcrit...@redhat.com> wrote:
j...@use.startmail.com wrote:

About a year ago I installed my freeipa server with certificates from
startssl using command line options --dirsrv-cert-file
The certificate is about to expire, what is the proper way to
update it
in all places?

It depends on whether you kept the original CSR or not. If you kept the
original CSR and are just renewing the certificate(s) then when you get
the new one, use certutil to add the updated cert to the appropriate
database like:

# certutil -A -n Server-Cert -d /etc/httpd/alias -t u,u,u -a -i


Thank you, that worked just fine, except that I had to update an
intermediate certificate as well.

Two questions, please:

1. I noticed a strange discrepancy in behavior between
/etc/httpd/alias and /etc/dirsrv/slapd-domain.
In both places original intermediate certificate is listed with empty
",," trust attributes so I initially added new intermediate
certificate with empty attributes as well.
certutils -V showed valid certificate in /etc/httpd/alias and not
trusted in /etc/dirsrv/slapd-domain so I had to modify intermediate
certificate with -t "C,,"

Hmm, not sure. Did the CA chain change in between the issuance of the
two certs?

Adding a new certificate shouldn't affect the trust of any other certs
so I'm not sure what happened. It could be that those subordinate CAs
were loaded the first time incorrectly but weren't used so it wasn't
noticed, I'm not really sure.

2. Just out of curiosity I wanted to list private keys and is
prompted for a password:
# certutil -K -d /etc/httpd/alias/
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":

Which one of the many provided by a user passwords is used by
ipa-server-install command during NSS database initialization?

In each NSS directory there is a pwdfile.txt which contains the PIN
for the internal token. You can add -f /etc/httpd/alias/pwdfile.txt to
your command to list the private keys.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to