Re: [Freeipa-users] updating certificates

2017-01-04 Thread Florence Blanc-Renaud
On 12/24/2016 01:58 AM, Josh wrote: Hi Rob, I'd like to really clarify renew certificate process. I can successfully update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but any new ipa client gets expired certificate still present someplace in LDAP. I was trying to use

Re: [Freeipa-users] updating certificates

2016-12-23 Thread Josh
Hi Flo, looks like ipa-certupdate requires /etc/ipa/nssdb to be already updated so it seems useless if existing certificates expired. I am experimenting on another server with expired certificates. Was able to successfully update /etc/httpd/alias and /etc/dirsrv/slapd-INSTANCE but ipa

Re: [Freeipa-users] updating certificates

2016-12-23 Thread Josh
Hi Rob, I'd like to really clarify renew certificate process. I can successfully update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but any new ipa client gets expired certificate still present someplace in LDAP. I was trying to use ipa-server-certinstall, described in

Re: [Freeipa-users] updating certificates

2016-08-12 Thread Josh
Hi Florence, I am using latest RHEL 7.2 IPA and would really like to find proper instructions because every new client still gets old certificates in its /etc/ipa/nssdb and requires manual update. Josh. On 08/10/2016 04:22 AM, Florence Blanc-Renaud wrote: Hi Josh, depending on your IPA

Re: [Freeipa-users] updating certificates

2016-08-10 Thread Florence Blanc-Renaud
Hi Josh, depending on your IPA version, you may consider using ipa-server-certinstall and ipa-certupdate. ipa-server-certinstall can be used to install a new certificate for Apache/LDAP servers, and ipa-certupdate to update the NSS DBs with the CA certificates found in the LDAP server.

Re: [Freeipa-users] updating certificates

2016-08-09 Thread Josh
Rob, One must also update /etc/ipa/nssdb the same way, otherwise ipa cli tool gets SEC_ERROR_UNTRUSTED_ISSUER ! It would be nice to have an IPA tool to update all certificates in all required places. Also, why would I need to add CA that already in system ca-trust to the private IPA

Re: [Freeipa-users] updating certificates

2016-08-01 Thread Josh
Hi Rob, Just a quick summary on my certificate renew experience. I started with a worst case scenario assumption - original CSR and key is no longer available. 1. export old certificate in pkcs12 format pk12util -d /etc/httpd/alias -n 'certificate alias' -o /tmp/ipa.p12 -k

Re: [Freeipa-users] updating certificates

2016-07-11 Thread Rob Crittenden
j...@use.startmail.com wrote: On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden wrote: j...@use.startmail.com wrote: Greetings, About a year ago I installed my freeipa server with certificates from startssl using command line options --dirsrv-cert-file --http-cert-file

Re: [Freeipa-users] updating certificates

2016-07-10 Thread jcnt
On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden wrote: > j...@use.startmail.com wrote: >> Greetings, >> >> About a year ago I installed my freeipa server with certificates from >> startssl using command line options --dirsrv-cert-file --http-cert-file >> etc. >> The

[Freeipa-users] updating certificates

2016-06-27 Thread jcnt
Greetings, About a year ago I installed my freeipa server with certificates from startssl using command line options --dirsrv-cert-file --http-cert-file etc. The certificate is about to expire, what is the proper way to update it in all places? -- Josh. -- Manage your subscription for the