Hi
In our current ipa implementation some of the ipa internal certificates are not able to be renewed correctly.
After a lot of support both from Redhat and also through this list, neither of which was able to fix the issue, I was advised by Redhat to implement a new instance of ipa and migrate to it.
I now have the new ipa instance running on RHEL7 servers, but before migrating clients and users to it would like to test that the ipa certificate renewal will work correctly. However, I don't want to break the new instance!
I've read chapters 24 and 26 of the Linux Domain Identity, Authentication and Policy guide and I'm not sure either are relevant to renewing eg 'ocspSigningCert cert-pki-ca', which was one of the ones I was having problems with before.
In trying to fix the current ipa implementation we have been using eg 'getcert resubmit -i <id>' where <id> is the id of the 'ocspSigningCert cert-pki-ca' certificate as shown by 'getcert list'.
Is 'getcert resubmit -i <id>' a sensible way to test renewing a certificate manually in a working ipa instance?
Do I need to do anything else to propagate the new certificate to the replica?
Do I need to explicitly revoke the old certificate, if so how?
Thanks.
Roderick Johnstone
On Tue, May 08, 2018 at 05:35:19PM +0100, Roderick Johnstone via FreeIPA-users wrote:
Hi
In our current ipa implementation some of the ipa internal certificates are not able to be renewed correctly.
After a lot of support both from Redhat and also through this list, neither of which was able to fix the issue, I was advised by Redhat to implement a new instance of ipa and migrate to it.
I now have the new ipa instance running on RHEL7 servers, but before migrating clients and users to it would like to test that the ipa certificate renewal will work correctly. However, I don't want to break the new instance!
I've read chapters 24 and 26 of the Linux Domain Identity, Authentication and Policy guide and I'm not sure either are relevant to renewing eg 'ocspSigningCert cert-pki-ca', which was one of the ones I was having problems with before.
In trying to fix the current ipa implementation we have been using eg 'getcert resubmit -i <id>' where <id> is the id of the 'ocspSigningCert cert-pki-ca' certificate as shown by 'getcert list'.
Hi Roderick,
Is 'getcert resubmit -i <id>' a sensible way to test renewing a certificate manually in a working ipa instance?
Yes, this is the correct way to manually instigate renewal.
Do I need to do anything else to propagate the new certificate to the replica?
On the CA renewal master, `getcert resubmit` should renew the certificate. Then running `getcert resubmit` on a replica that is not the CA renewal master will retrieve the new certificate from LDAP.
Do I need to explicitly revoke the old certificate, if so how?
It is not necessary to revoke it, but if you want to, you can do it with the `ipa cert-revoke SERIAL-NUMBER` command. But don't do this until the updated cert has been installed on all the CA replicas.
Cheers, Fraser
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Roderick Johnstone