On 13/07/15 16:05, Janelle wrote:
Good morning,
I was wondering, I install my servers with the self-signed certs. Now my
management wants me to use official certificates. Is there an
easy/recommended way to swap out all the certificates on all the
servers? Especially with 16 servers, just trying to figure out if this
is something I could script with PSSH or similar in order to do them all
at once. Does it matter the order?
Thank you
~Janelle
Hello!
Yes, there is an easy way:
1.Run ipa-cacert-manage renew --external-ca on one of CA masters
(first ipa-server installed or any replica installed with --setup-ca).
This will generate csr you need to get signed by your CA.
2. Then run ipa-cacert-manage renew --external-cert-file signed
certificate --external-cert-file your ca certificate
This will update the IPA CA certificate in LDAP.
3. Then you need to run ipa-certupdate on all ipa servers and clients
to distribute the new certificate.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project