On Fri, 2023-04-14 at 17:54 +0000, Shawn Asmussen via FreeIPA-users
wrote:
Our organization has a large number of existing certificates that we
want to make modifications to the options for. Specifically, we have
certificates used by a couple of different services, that we want to
add in a service restart when the certificate auto-renews, and we
also have a lot of certificates that were created before we knew
about the options like -O/-M/etc... where we manually set file
permissions on the certs after creation. I know how to do these
things on a a new cert request, using the various options, but I'd
like to update these options on certificates that are already being
tracked. The only way I've managed to do it so far is by using ipa-
getcert resubmit, with the options that I want changed. However, this
method results in the entire certificate being regenerated on the
spot. If we had a small number of certs that we wanted to update,
this wouldn't be a huge problem, but we have several different certs
on a few thousand production systems that we want to update
this way, and I'd prefer not to send 10,000 cert renewals up to the
master server, and that would also end up making all of those
thousands of certs auto renew at roughly the same time every year,
which we consider to be undesirable. I assume that manual edits of
the files in /var/lib/certmonger/requests is not the proper way to
handle this, but what IS the correct way to make such modifications
after the initial ipa-getcert request that created the certs
originally?
You can update the properties of an existing tracking request with
'getcert start-tracking'. Use -i to identify the request and then add
any -M, -O, etc. options and the original request will be modified to
add/change those options.
--
Sam Morris <sam(a)robots.org.uk>