subject:"\[Freeipa\-users\] Renew \/ Replace third\-party certificate for IPA Servers\(primary and replica\)"

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-20 Thread Florence Blanc-Renaud

On 10/20/2016 05:05 AM, beeth beeth wrote:

First of all, thanks for the quick response Florence!

I have question about your suggested step [1] and [2]:
For [1],  "ipa-cacert-manage install cert.pem". Which certificate is
this? Is it the ChainBundle cert(root cert + intermediate cert)?
For [2],  "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
certificate is this pkcs12.p12? Is it the Server cert?

Here's exactly what I ran initially to install the IPA server with the
Verisign certs, by following your suggestion last time(at the Admin
manual 2.3.6. Installing Without a CA), and it worked well:

# ipa-server-install --http-cert-file ServerCertificate.crt
--http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
--dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
ChainBundle2.crt

So, basically the installation requested 3 items: the server
key(ipaserver1.encrypted.key), the server certificate from
Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
Verisign(ChainBundle2.crt).
Now let's say such Verisign certificate expires, and I want to replace
the certs from GoDaddy(another public cert provider), I assume a new set
of certs, including the new key, the new server cert, and the new Chain
cert(root+intermediate), total 3 items, will need to be included in the
commands for the third party certificate replacement.
The steps [1] and [2] only show two inputs, so I am not sure what I have
been missing.

Hi,

Sorry if I was not clear enough. The first step (ipa-cacert-manage 
install) aims at adding the CA certificate thus the root+intermediate 
certs should be provided.

The step with ipa-server-certinstall configures the Server Cert (-d if 
you want to replace the LDAP cert, -w for HTTP cert), meaning that the 
Server-Cert and key should be provided. The man page details all the 
supported formats, and it is possible to provide multiple files.

Hope this clarifies,
Flo.

Please advise the detail. Thanks again!
Beeth

On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud > wrote:

On 10/19/2016 05:23 PM, beeth beeth wrote:

I once asked about Install IPA servers with certificate provided by
third-party like

Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html

>).
Florence, Rob and Jakub from Redhat had been very helpful, and
pointed
out the solution at

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca

>,
about "Installing Without a CA", and it worked great!

Now it came up another problem, is that the Verisign(or any other
certificate) will expire in a year or two, how can I smoothly
renew the
Verisign certificate on the primary and replica IPA servers a
year from
now? Or if we decide to use another provider, say Godaddy
certificate,
how can I replace the existing certificate on both IPA servers?
I found
a relevant instruction at

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal

>,
but that's about the "Dogtag" CA certificate, not about the
third-party
certificate I am using in our upcoming production
environment(running
IPA 4.2 on RHEL7).

Hi,

if you plan to

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread beeth beeth

First of all, thanks for the quick response Florence!

I have question about your suggested step [1] and [2]:
For [1],  "ipa-cacert-manage install cert.pem". Which certificate is this?
Is it the ChainBundle cert(root cert + intermediate cert)?
For [2],  "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
certificate is this pkcs12.p12? Is it the Server cert?

Here's exactly what I ran initially to install the IPA server with the
Verisign certs, by following your suggestion last time(at the Admin manual
2.3.6. Installing Without a CA), and it worked well:

# ipa-server-install --http-cert-file ServerCertificate.crt
--http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
--dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
ChainBundle2.crt

So, basically the installation requested 3 items: the server
key(ipaserver1.encrypted.key), the server certificate from
Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
Verisign(ChainBundle2.crt).
Now let's say such Verisign certificate expires, and I want to replace the
certs from GoDaddy(another public cert provider), I assume a new set of
certs, including the new key, the new server cert, and the new Chain
cert(root+intermediate), total 3 items, will need to be included in the
commands for the third party certificate replacement.
The steps [1] and [2] only show two inputs, so I am not sure what I have
been missing.

Please advise the detail. Thanks again!
Beeth

On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud 
wrote:

> On 10/19/2016 05:23 PM, beeth beeth wrote:
>
>> I once asked about Install IPA servers with certificate provided by
>> third-party like
>> Verisign(https://www.redhat.com/archives/freeipa-users/2016-
>> September/msg00440.html
>> > r/msg00440.html>).
>> Florence, Rob and Jakub from Redhat had been very helpful, and pointed
>> out the solution at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-without-ca
>> > prise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-without-ca>,
>> about "Installing Without a CA", and it worked great!
>>
>> Now it came up another problem, is that the Verisign(or any other
>> certificate) will expire in a year or two, how can I smoothly renew the
>> Verisign certificate on the primary and replica IPA servers a year from
>> now? Or if we decide to use another provider, say Godaddy certificate,
>> how can I replace the existing certificate on both IPA servers? I found
>> a relevant instruction at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
>> cation_and_Policy_Guide/index.html#auto-cert-renewal
>> > prise_Linux/7/html-single/Linux_Domain_Identity_Authenti
>> cation_and_Policy_Guide/index.html#auto-cert-renewal>,
>> but that's about the "Dogtag" CA certificate, not about the third-party
>> certificate I am using in our upcoming production environment(running
>> IPA 4.2 on RHEL7).
>>
>> Hi,
>
> if you plan to use another CA (for instance switch from Verisign to
> Godaddy), you will need first to install the new CA certificate with
> ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4
> Manual CA Certificate Installation [1].
>
> Then, if you want to change the HTTP and LDAP certificates for your
> server, you can use the ipa-server-certinstall utility [2].
>
> [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
> cation_and_Policy_Guide/index.html#manual-cert-install
>
> [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
> cation_and_Policy_Guide/index.html#Configuring_Certificates_
> and_Certificate_Authorities
>
> Hope this helps,
> Flo.
>
>
> Please advise. Thank you!
>> Beeth
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread Florence Blanc-Renaud


On 10/19/2016 05:23 PM, beeth beeth wrote:

I once asked about Install IPA servers with certificate provided by
third-party like
Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
).
Florence, Rob and Jakub from Redhat had been very helpful, and pointed
out the solution at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
,
about "Installing Without a CA", and it worked great!

Now it came up another problem, is that the Verisign(or any other
certificate) will expire in a year or two, how can I smoothly renew the
Verisign certificate on the primary and replica IPA servers a year from
now? Or if we decide to use another provider, say Godaddy certificate,
how can I replace the existing certificate on both IPA servers? I found
a relevant instruction at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
,
but that's about the "Dogtag" CA certificate, not about the third-party
certificate I am using in our upcoming production environment(running
IPA 4.2 on RHEL7).


Hi,

if you plan to use another CA (for instance switch from Verisign to 
Godaddy), you will need first to install the new CA certificate with 
ipa-cacert-manage install and ipa-certupdate. The instructions are in 
30.4 Manual CA Certificate Installation [1].


Then, if you want to change the HTTP and LDAP certificates for your 
server, you can use the ipa-server-certinstall utility [2].


[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install


[2] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities


Hope this helps,
Flo.


Please advise. Thank you!
Beeth


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

2016-10-19 Thread beeth beeth

I once asked about Install IPA servers with certificate provided by
third-party like Verisign(https://www.redhat.com/archives/freeipa-users/
2016-September/msg00440.html). Florence, Rob and Jakub from Redhat had been
very helpful, and pointed out the solution at https://access.redhat.com/
documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_
Authentication_and_Policy_Guide/install-server.html#
install-server-without-ca, about "Installing Without a CA", and it worked
great!

Now it came up another problem, is that the Verisign(or any other
certificate) will expire in a year or two, how can I smoothly renew the
Verisign certificate on the primary and replica IPA servers a year from
now? Or if we decide to use another provider, say Godaddy certificate, how
can I replace the existing certificate on both IPA servers? I found a
relevant instruction at https://access.redhat.com/
documentation/en-US/Red_Hat_Enterprise_Linux/7/html-
single/Linux_Domain_Identity_Authentication_and_Policy_
Guide/index.html#auto-cert-renewal, but that's about the "Dogtag" CA
certificate, not about the third-party certificate I am using in our
upcoming production environment(running IPA 4.2 on RHEL7).

Please advise. Thank you!
Beeth
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

4 matches

Site Navigation

Mail list logo

Footer information