John Stokes via FreeIPA-users wrote:
Hi all,
I have a question regarding renewal of certificates issued to http services.
I read somewhere that these certificates are automatically renewed but could not find any
more details.
My deployment is a standard one and I'm using the caIPAserviceCert profile.
Can anyone shed some light on the process of renewals of certificates issued to servers?
If the renewal is automatic where will the new cert (I suppose key file will be the same)
be stored and when is the renewal being done (how many days before it expires)?
Renewal is handled by the certmonger daemon. You can check the certs it
is tracking using:
# getcert list
By default the certs will attempt to be renewed starting at 28 days
prior to expiration.
The CA subsystem certificates (ocsp, audit, RA agent, etc) are shared
among the CAs. Because of this only one IPA master controls the renewal
of those certs. You can see which master this is via: ipa config-show
and looking at the 'IPA CA renewal master' value. By default this is the
first master installed.
Once this renewal master renews the certificates it drops a copy into
LDAP. The other masters will pick up the renewed certs from there.
The HTTP, LDAP and PKINIT certs are renewed individually on each master.
rog