No because all the clients already trust and know the IPA CA.
Glad you got it working.
rob
Dungan, Scott A. wrote:
Thanks, Rob.
That worked. Does changing the web certs on the ipa servers require a '
ipa-certupdate' on all clients afterward? As far as I can tell, everything appears to
be working normally without it.
-Scott
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: Monday, November 29, 2021 10:59 AM
To: Dungan, Scott A. <sdungan(a)caltech.edu>; FreeIPA users list
<freeipa-users(a)lists.fedorahosted.org>
Subject: Re: [Freeipa-users] Revert web cert from 3rd party to internal ca
Dungan, Scott A. wrote:
> Rob,
>
> I don't think my response was sent correctly, so sending it again-apologies for
any duplicates. Also, for misspelling your name.
>
>
>
> Bob,
>
> I ran the command on the first IPA server (idm1) as:
>
> ipa-getcert request -f /var/lib/ipa/certs/httpd.crt -k
> /var/lib/ipa/private/httpd.key -p
> /var/lib/ipa/passwds/$HOSTNAME-443-RSA -D
idm1.xxx.xxx.edu -D
>
idm1.xxx.xxx.edu -C /usr/libexec/ipa/certmonger/restart_httpd -K
> HTTP/idm1.xxx.xxx.edu -v -w
>
> It appears the command did not change the HTTP certificate on the IdM server. The
time stamps and content of /var/lib/ipa/certs/httpd.crt and /var/lib/ipa/private/httpd.key
are unchanged. Rather, the commercial cert is now tracked by certmonger?:
>
> ~]# getcert list
>
> ....
> Request ID '20211119173141':
> status: MONITORING
> stuck: no
> key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/xxx.xxx.xxx.edu-443-RSA'
> certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
> CA: IPA
> issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann
Arbor,ST=MI,C=US
> subject:
CN=idm1.xxx.xxx.edu,OU=GPS,O=xxx,STREET=xxx,L=xxx,ST=xxx,postalCode=xxx,C=xxx
> expires: 2022-01-02 15:59:59 PST
> dns:
idm1.xxx.xxx.edu
> key usage: digitalSignature,keyEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
> I was expecting that the HTTP service on idm1 would get a new cert from the IPA
self-signed CA, and then that would be tracked/renewed by certmonger. Certmonger will be
unable to auto-renew the commercial cert, so tracking that is not useful.
certmonger was too clever by half. It saw that the current cert is valid so went ahead
and tracked it instead of requesting a replacement.
You can stop the tracking with getcert stop-tracking -i 20211119173141
Then backup /var/lib/ipa/private/httpd.key and /var/lib/ipa/certs/httpd.crt, just in
case.
If you then remove /var/lib/ipa/certs/httpd.crt and re-run the request command it will
generate a new CSR using the existing key and an IPA should issue a replacement cert.
You'll need to restart Apache afterward.
rob
>
> -Scott
>
> -----Original Message-----
> From: Rob Crittenden <rcritten(a)redhat.com>
> Sent: Monday, November 15, 2021 11:04 AM
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Dungan, Scott A. <sdungan(a)caltech.edu>
> Subject: Re: [Freeipa-users] Revert web cert from 3rd party to
> internal ca
>
> Dungan, Scott A. via FreeIPA-users wrote:
>> Hi All
>>
>>
>>
>> After deploying FreeIPA with an embedded self-signed CA, the ipa
>> servers were configured to use commercially signed, 3^rd party
>> certificates for the HTTP service only. The directory server was left
>> default. This was accomplished by importing the external CA and then
>> the signed certificate, following the instructions on
freeipa.org:
>>
>>
>>
>> ipa-cacert-manage -t C,, install InCommon_interm.cer
>>
>> ipa-certupdate
>>
>> ipa-server-certinstall --http /var/lib/ipa/private/httpd.key
>> /var/lib/ipa/private/InCommon_signed.cer
>>
>> ipactl restart
>>
>>
>>
>> A commercially signed web certificate on the ipa servers is no longer
>> required and we would like to revert back to using certificates from
>> the freeipa self-signed CA. Is there a way to do so?
>
> This will request a new certificate using certmonger which will replace the 3rd party
certificate and configure the renewal tracking. You may want to make a copy of the 3rd
party cert and key just in case.
>
> ipa-getcert request -f /var/lib/ipa/certs/httpd.crt -k
> /var/lib/ipa/private/httpd.key -p
> /var/lib/ipa/passwds/ipa.example.test-443-RSA -D `hostname` -D
> ipa-ca.example.test -C /usr/libexec/ipa/certmonger/restart_httpd -K
> HTTP/`hostname` -v -w
>
> If you aren't using ACME you can skip the SAN for ipa-ca.example.test
>
> Restart the httpd service once it is issued.
>
> Adjust to your hostname/domain as needed.
>
> rob
>