Hello,
I am using the embedded CA For FreeIPA as well as external CA Signed by Digicert. However, the certificate will be expiring next month.
After renewal, do I need to install the certificate again using the same steps mentioned within the link https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Similarly how will I be able to update the new certificate in my IPA Clients too. Do I need to follow the steps below on all IPA Clients?
-----
certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
cp ipa.crt /etc/ipa/ca.crt
-------
Can you please brief up the exact procedure to follow for the third party SSL cert renewal.
Thanks and Regards,
Alka Murali
On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users wrote:
Hello,
I am using the embedded CA For FreeIPA as well as external CA Signed by Digicert. However, the certificate will be expiring next month.
After renewal, do I need to install the certificate again using the same steps mentioned within the link https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Similarly how will I be able to update the new certificate in my IPA Clients too. Do I need to follow the steps below on all IPA Clients?
certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
cp ipa.crt /etc/ipa/ca.crt
Can you please brief up the exact procedure to follow for the third party SSL cert renewal.
Thanks and Regards,
Alka Murali
Hi Alka,
For **service certificates** use `ipa-server-certinstall` or `certutil -A` to update the certificate(s) on the server(s). No action is required on clients.
For **CA certificates** ... is your IPA CA certificate really signed by Digicert? If so, use `ipa-cacert-manage install` to install the new CA certificate. This only needs to be done on one master. Then run `ipa-certupdate` on masters and clients to force an immediate refresh of the CA certificates on those hosts.
Cheers, Fraser
Hi Fraser,
Thanks for the reply.
However I have both my IPA CA and third party CA, where IPA CA is self signed and third party CA Signed by DigiCert. So if my SSL certificate is going to expire next month, all that I need to do is to execute 'certutil -A" alone?
I have installed FreeIPA Server with default CA Provided by IPA (Self-Signed). Later I have installed my Third Party SSL On top of it. Now my SSL is going to expire next month. So is ''certutil -A" needed for the new certificate to get used by IPA?
Thanks and Regards, Alka Murali
On Thu, Aug 17, 2017 at 1:06 PM, Fraser Tweedale ftweedal@redhat.com wrote:
On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users wrote:
Hello,
I am using the embedded CA For FreeIPA as well as external CA Signed by Digicert. However, the certificate will be expiring next month.
After renewal, do I need to install the certificate again using the same steps mentioned within the link https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Similarly how will I be able to update the new certificate in my IPA Clients too. Do I need to follow the steps below on all IPA Clients?
certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
cp ipa.crt /etc/ipa/ca.crt
Can you please brief up the exact procedure to follow for the third party SSL cert renewal.
Thanks and Regards,
Alka Murali
Hi Alka,
For **service certificates** use `ipa-server-certinstall` or `certutil -A` to update the certificate(s) on the server(s). No action is required on clients.
For **CA certificates** ... is your IPA CA certificate really signed by Digicert? If so, use `ipa-cacert-manage install` to install the new CA certificate. This only needs to be done on one master. Then run `ipa-certupdate` on masters and clients to force an immediate refresh of the CA certificates on those hosts.
Cheers, Fraser
On Thu, Aug 17, 2017 at 01:14:00PM +0800, Alka Murali via FreeIPA-users wrote:
Hi Fraser,
Thanks for the reply.
However I have both my IPA CA and third party CA, where IPA CA is self signed and third party CA Signed by DigiCert. So if my SSL certificate is going to expire next month, all that I need to do is to execute 'certutil -A" alone?
That's correct (or use `ipa-server-certinstall` to do the same thing).
I have installed FreeIPA Server with default CA Provided by IPA (Self-Signed). Later I have installed my Third Party SSL On top of it. Now my SSL is going to expire next month. So is ''certutil -A" needed for the new certificate to get used by IPA?
Yes, you need to put the new certificate in the application's NSSDB, then restart the application (httpd and/or dirsrv) so that it is using the new certificate. Clients will already trust the Digicert CA so no other action should be required.
Cheers, Fraser
Thanks and Regards, Alka Murali
On Thu, Aug 17, 2017 at 1:06 PM, Fraser Tweedale ftweedal@redhat.com wrote:
On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users wrote:
Hello,
I am using the embedded CA For FreeIPA as well as external CA Signed by Digicert. However, the certificate will be expiring next month.
After renewal, do I need to install the certificate again using the same steps mentioned within the link https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Similarly how will I be able to update the new certificate in my IPA Clients too. Do I need to follow the steps below on all IPA Clients?
certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
cp ipa.crt /etc/ipa/ca.crt
Can you please brief up the exact procedure to follow for the third party SSL cert renewal.
Thanks and Regards,
Alka Murali
Hi Alka,
For **service certificates** use `ipa-server-certinstall` or `certutil -A` to update the certificate(s) on the server(s). No action is required on clients.
For **CA certificates** ... is your IPA CA certificate really signed by Digicert? If so, use `ipa-cacert-manage install` to install the new CA certificate. This only needs to be done on one master. Then run `ipa-certupdate` on masters and clients to force an immediate refresh of the CA certificates on those hosts.
Cheers, Fraser
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hello Alka, As I understood - you had set up 3rd party SSL on top of self-signed? Could you please help me with similar task in my thread? https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... Thanks!
freeipa-users@lists.fedorahosted.org