Hi all,
I have a question regarding renewal of certificates issued to http services. I read somewhere that these certificates are automatically renewed but could not find any more details. My deployment is a standard one and I'm using the caIPAserviceCert profile.
Can anyone shed some light on the process of renewals of certificates issued to servers? If the renewal is automatic where will the new cert (I suppose key file will be the same) be stored and when is the renewal being done (how many days before it expires)?
John Stokes via FreeIPA-users wrote:
Hi all,
I have a question regarding renewal of certificates issued to http services. I read somewhere that these certificates are automatically renewed but could not find any more details. My deployment is a standard one and I'm using the caIPAserviceCert profile.
Can anyone shed some light on the process of renewals of certificates issued to servers? If the renewal is automatic where will the new cert (I suppose key file will be the same) be stored and when is the renewal being done (how many days before it expires)?
Renewal is handled by the certmonger daemon. You can check the certs it is tracking using:
# getcert list
By default the certs will attempt to be renewed starting at 28 days prior to expiration.
The CA subsystem certificates (ocsp, audit, RA agent, etc) are shared among the CAs. Because of this only one IPA master controls the renewal of those certs. You can see which master this is via: ipa config-show and looking at the 'IPA CA renewal master' value. By default this is the first master installed.
Once this renewal master renews the certificates it drops a copy into LDAP. The other masters will pick up the renewed certs from there.
The HTTP, LDAP and PKINIT certs are renewed individually on each master.
rog
Hi Rob,
Thank you for taking the time to respond. Using the command you suggested (getcert list) I can see that the system is not monitoring any of my host certificates. The ones it is tracking seem to be certificates needed for it's internal operation. Is the default behaviour that certs issued to services are not automatically renewed? If yes, can I change that?
John Stokes via FreeIPA-users wrote:
Hi Rob,
Thank you for taking the time to respond. Using the command you suggested (getcert list) I can see that the system is not monitoring any of my host certificates. The ones it is tracking seem to be certificates needed for it's internal operation.
What host certificates? Did you request these yourself? How?
Is the default behaviour that certs issued to services are not automatically renewed? If yes, can I change that?
Certificates requested with certmonger are automatically renewed.
rob
Hi Rob,
You are right. The certs are automatically tracked and renewed. I have two IPA servers. When using the command getcert list on the first one it did not show me any of the certificates I have issued for my servers (I'm talking about ssl sertificates for web servers in my network). But on the second IPA server the command listed all issued certs and it also stated that they are tracked.
Thank you again.
Br.
John Stokes via FreeIPA-users wrote:
Hi Rob,
You are right. The certs are automatically tracked and renewed. I have two IPA servers. When using the command getcert list on the first one it did not show me any of the certificates I have issued for my servers (I'm talking about ssl sertificates for web servers in my network). But on the second IPA server the command listed all issued certs and it also stated that they are tracked.
The Apache and LDAP certs are specific per master and should be tracked on each.
Unless you have replaced one or both of those certs with your own in which case renewing them is on you.
rob
freeipa-users@lists.fedorahosted.org