Hello,
Hope you are doing good. I have a question regarding freeIPA host certificates. We are using FreeIPA as our LDAP. We have some certificates for hosts ex :- http/uat.com. And we deploying the certs in Haproxy in PEM format. But the certificates for this host has been expired. Can you please let me know in detail how to renew my expired certificates for the hosts. Please provide me the commands and steps.
FreeIPA, version: 4.2.0
Thanks & Regards, Azeem
On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users wrote:
Hello,
Hope you are doing good. I have a question regarding freeIPA host certificates. We are using FreeIPA as our LDAP. We have some certificates for hosts ex :- http/uat.com http://uat.com. And we deploying the certs in Haproxy in PEM format. But the certificates for this host has been expired. Can you please let me know in detail how to renew my expired certificates for the hosts. Please provide me the commands and steps.
Hi,
from your description I understand that you are referring to certificates delivered by IPA CA for one of the IPA-enrolled hosts, but not the master's Server-Cert used for IPA Web GUI.
In this case, how did you obtain the certificate? If you used a method similar to what is described in this wiki [1], the certificate should be monitored by certmonger and automatically renewed.
If you followed instead this wiki [2], the certificate is not tracked by certmonger and needs to be manually renewed. You need to do the following, assuming that the cert is in a NSS database $NSSDB on the IPA client: - find the key nickname # certutil -K -d $NSSDB certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS Certificate DB:Server-Cert (note the key nickname for the next command)
- create a new certificate request that will re-use the existing key (replace DOMAIN.COM with your IPA domain, in uppercase): # certutil -R -d $NSSDB -k "NSS Certificate DB:Server-Cert" -s cn=`hostname,O=DOMAIN.COM" -a -o /tmp/cert.csr Enter Password or Pin for "NSS Certificate DB":
- request a certificate using the new certificate request # kinit admin # ipa cert-request --principal=HTTP/`hostname` /tmp/web.csr (the output will display a Serial Number that needs to be noted for the next command)
- remove the previous cert from the NSS database: # certutil -D -d $NSSDB -n Server-Cert
- export the certificate to a file, then import the certificate in the NSS database: # ipa cert-show $SERIAL_NUMBER --out=/tmp/server.crt # certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i /tmp/server.crt
HTH, flo
[1] https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmon... [2] https://www.freeipa.org/page/PKI#Manual_certificate_requests
FreeIPA, version: 4.2.0
Thanks & Regards, Azeem
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org