[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)
beeth beeth
beeth2006 at gmail.com
Thu Oct 20 03:05:31 UTC 2016
First of all, thanks for the quick response Florence!
I have question about your suggested step [1] and [2]:
For [1], "ipa-cacert-manage install cert.pem". Which certificate is this?
Is it the ChainBundle cert(root cert + intermediate cert)?
For [2], "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
certificate is this pkcs12.p12? Is it the Server cert?
Here's exactly what I ran initially to install the IPA server with the
Verisign certs, by following your suggestion last time(at the Admin manual
2.3.6. Installing Without a CA), and it worked well:
# ipa-server-install --http-cert-file ServerCertificate.crt
--http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
--dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
ChainBundle2.crt
So, basically the installation requested 3 items: the server
key(ipaserver1.encrypted.key), the server certificate from
Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
Verisign(ChainBundle2.crt).
Now let's say such Verisign certificate expires, and I want to replace the
certs from GoDaddy(another public cert provider), I assume a new set of
certs, including the new key, the new server cert, and the new Chain
cert(root+intermediate), total 3 items, will need to be included in the
commands for the third party certificate replacement.
The steps [1] and [2] only show two inputs, so I am not sure what I have
been missing.
Please advise the detail. Thanks again!
Beeth
On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud <flo at redhat.com>
wrote:
> On 10/19/2016 05:23 PM, beeth beeth wrote:
>
>> I once asked about Install IPA servers with certificate provided by
>> third-party like
>> Verisign(https://www.redhat.com/archives/freeipa-users/2016-
>> September/msg00440.html
>> <https://www.redhat.com/archives/freeipa-users/2016-Septembe
>> r/msg00440.html>).
>> Florence, Rob and Jakub from Redhat had been very helpful, and pointed
>> out the solution at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-without-ca
>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enter
>> prise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-without-ca>,
>> about "Installing Without a CA", and it worked great!
>>
>> Now it came up another problem, is that the Verisign(or any other
>> certificate) will expire in a year or two, how can I smoothly renew the
>> Verisign certificate on the primary and replica IPA servers a year from
>> now? Or if we decide to use another provider, say Godaddy certificate,
>> how can I replace the existing certificate on both IPA servers? I found
>> a relevant instruction at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
>> cation_and_Policy_Guide/index.html#auto-cert-renewal
>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enter
>> prise_Linux/7/html-single/Linux_Domain_Identity_Authenti
>> cation_and_Policy_Guide/index.html#auto-cert-renewal>,
>> but that's about the "Dogtag" CA certificate, not about the third-party
>> certificate I am using in our upcoming production environment(running
>> IPA 4.2 on RHEL7).
>>
>> Hi,
>
> if you plan to use another CA (for instance switch from Verisign to
> Godaddy), you will need first to install the new CA certificate with
> ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4
> Manual CA Certificate Installation [1].
>
> Then, if you want to change the HTTP and LDAP certificates for your
> server, you can use the ipa-server-certinstall utility [2].
>
> [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
> cation_and_Policy_Guide/index.html#manual-cert-install
>
> [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti
> cation_and_Policy_Guide/index.html#Configuring_Certificates_
> and_Certificate_Authorities
>
> Hope this helps,
> Flo.
>
>
> Please advise. Thank you!
>> Beeth
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161019/437f6593/attachment.htm>
More information about the Freeipa-users
mailing list