[Fedora-directory-users] updating/renewing CA and server cert

[Brian Jones]

Hi all,

The SSL Howto on the wiki doesn't really cover a procedure for what to do
when your root CA has to be renewed, along with your server certs.

I have 3 servers whose server certs are all signed with our own root CA, but
that root CA is expiring, and needs to be replaced. Presumably this means I
also need to replace the server certs, since they were signed with this
expiring root CA.

What I was able to do was just blow away /opt/fedora-ds/alias/*.db, and then
run:

###### CREATE NEW *.db FILES ########
/opt/fedora-ds/share/bin/certutil -N -d /opt/fedora-ds/alias -P slapd-ldap-

###### INSTALL NEW ROOT CA ########
/opt/fedora-ds/share/bin/certutil -A -n "My Dept. Root CA" -P slapd-ldap- -d
/opt/fedora-ds/alias -t "CT,," -a -i ./cacert.pem

###### CREATE NEW SERVER CERT REQUEST #######
/opt/fedora-ds/share/bin/certutil -R -d /opt/fedora-ds/alias -a -P
slapd-ldap- -s "cn=ldap.my-domain.com" -o /tmp/csr.der.txt -g 1024

###### SIGN THE NEW SERVER CERT REQUEST ########
openssl ca -config openssl.cnf -policy policy_anything -out
certs/ldapcert.pem -infiles csr.der.txt

###### INSTALL NEW SERVER CERT #########
/opt/fedora-ds/shared/bin/certutil -A -d /opt/fedora-ds/alias -n
"ldap-server-cert" -P slapd-ldap- -t u,u,u -a -i
/opt/fedora-ds/alias/ldapcert.pem

At this point, my server starts up just fine and all appears to be well, but
it doesn't seem like it should be absolutely necessary to start over from
scratch on each server when our root CA expires. Can someone detail a
shorter method to replace expired root CAs *and* server certificates?

thanks.
brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20060612/0f08cd1a/attachment.html>