On Thu, Aug 17, 2017 at 01:14:00PM +0800, Alka Murali via FreeIPA-users wrote:
Hi Fraser,
Thanks for the reply.
However I have both my IPA CA and third party CA, where IPA CA is self
signed and third party CA Signed by DigiCert. So if my SSL certificate is
going to expire next month, all that I need to do is to execute 'certutil
-A" alone?
That's correct (or use `ipa-server-certinstall` to do the same thing).
I have installed FreeIPA Server with default CA Provided by IPA
(Self-Signed). Later I have installed my Third Party SSL On top of it. Now
my SSL is going to expire next month. So is ''certutil -A" needed for the
new certificate to get used by IPA?
Yes, you need to put the new certificate in the application's NSSDB,
then restart the application (httpd and/or dirsrv) so that it is
using the new certificate. Clients will already trust the Digicert
CA so no other action should be required.
Cheers,
Fraser
Thanks and Regards,
Alka Murali
On Thu, Aug 17, 2017 at 1:06 PM, Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
> On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users
> wrote:
> > Hello,
> >
> > I am using the embedded CA For FreeIPA as well as external CA Signed by
> > Digicert. However, the certificate will be expiring next month.
> >
> > After renewal, do I need to install the certificate again using the same
> > steps mentioned within the link
> >
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> >
> > Similarly how will I be able to update the new certificate in my IPA
> > Clients too. Do I need to follow the steps below on all IPA Clients?
> >
> > -----
> >
> > certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
> >
> > cp ipa.crt /etc/ipa/ca.crt
> >
> > -------
> >
> > Can you please brief up the exact procedure to follow for the third party
> > SSL cert renewal.
> >
> > Thanks and Regards,
> >
> > Alka Murali
> >
> Hi Alka,
>
> For **service certificates** use `ipa-server-certinstall` or
> `certutil -A` to update the certificate(s) on the server(s).
> No action is required on clients.
>
> For **CA certificates** ... is your IPA CA certificate really signed
> by Digicert? If so, use `ipa-cacert-manage install` to install the
> new CA certificate. This only needs to be done on one master. Then
> run `ipa-certupdate` on masters and clients to force an immediate
> refresh of the CA certificates on those hosts.
>
> Cheers,
> Fraser
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org