On 12/24/2016 01:58 AM, Josh wrote:
Hi Rob,
I'd like to really clarify renew certificate process. I can successfully
update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but
any new ipa client gets expired certificate still present someplace in
LDAP. I was trying to use ipa-serve
Hi Flo,
looks like ipa-certupdate requires /etc/ipa/nssdb to be already updated
so it seems useless if existing certificates expired.
I am experimenting on another server with expired certificates. Was able
to successfully update /etc/httpd/alias and /etc/dirsrv/slapd-INSTANCE
but ipa comman
Hi Rob,
I'd like to really clarify renew certificate process. I can successfully
update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but
any new ipa client gets expired certificate still present someplace in
LDAP. I was trying to use ipa-server-certinstall, described in
https
Hi Florence,
I am using latest RHEL 7.2 IPA and would really like to find proper
instructions because every new client still gets old certificates in its
/etc/ipa/nssdb and requires manual update.
Josh.
On 08/10/2016 04:22 AM, Florence Blanc-Renaud wrote:
Hi Josh,
depending on your IPA ver
Hi Josh,
depending on your IPA version, you may consider using
ipa-server-certinstall and ipa-certupdate.
ipa-server-certinstall can be used to install a new certificate for
Apache/LDAP servers, and ipa-certupdate to update the NSS DBs with the
CA certificates found in the LDAP server.
Flo
Rob,
One must also update /etc/ipa/nssdb the same way, otherwise ipa cli tool
gets SEC_ERROR_UNTRUSTED_ISSUER !
It would be nice to have an IPA tool to update all certificates in all
required places.
Also, why would I need to add CA that already in system ca-trust to the
private IPA nssdb
Hi Rob,
Just a quick summary on my certificate renew experience.
I started with a worst case scenario assumption - original CSR and key
is no longer available.
1. export old certificate in pkcs12 format
pk12util -d /etc/httpd/alias -n 'certificate alias' -o /tmp/ipa.p12 -k
/etc/httpd/alias/pw
j...@use.startmail.com wrote:
On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden wrote:
j...@use.startmail.com wrote:
Greetings,
About a year ago I installed my freeipa server with certificates from
startssl using command line options --dirsrv-cert-file --http-cert-file
etc.
The certificate i
On Tuesday, June 28, 2016 10:50 AM, Rob Crittenden wrote:
> j...@use.startmail.com wrote:
>> Greetings,
>>
>> About a year ago I installed my freeipa server with certificates from
>> startssl using command line options --dirsrv-cert-file --http-cert-file
>> etc.
>> The certificate is about to expi
j...@use.startmail.com wrote:
Greetings,
About a year ago I installed my freeipa server with certificates from
startssl using command line options --dirsrv-cert-file --http-cert-file
etc.
The certificate is about to expire, what is the proper way to update it
in all places?
It depends on wheth
Greetings,
About a year ago I installed my freeipa server with certificates from
startssl using command line options --dirsrv-cert-file --http-cert-file
etc.
The certificate is about to expire, what is the proper way to update it
in all places?
--
Josh.
--
Manage your subscription for the F
11 matches
Mail list logo