Dungan, Scott A. via FreeIPA-users wrote:
Hi All
After deploying FreeIPA with an embedded self-signed CA, the ipa servers
were configured to use commercially signed, 3^rd party certificates for
the HTTP service only. The directory server was left default. This was
accomplished by importing the external CA and then the signed
certificate, following the instructions on
freeipa.org:
ipa-cacert-manage -t C,, install InCommon_interm.cer
ipa-certupdate
ipa-server-certinstall --http /var/lib/ipa/private/httpd.key
/var/lib/ipa/private/InCommon_signed.cer
ipactl restart
A commercially signed web certificate on the ipa servers is no longer
required and we would like to revert back to using certificates from the
freeipa self-signed CA. Is there a way to do so?
This will request a new certificate using certmonger which will replace
the 3rd party certificate and configure the renewal tracking. You may
want to make a copy of the 3rd party cert and key just in case.
ipa-getcert request -f /var/lib/ipa/certs/httpd.crt -k
/var/lib/ipa/private/httpd.key -p
/var/lib/ipa/passwds/ipa.example.test-443-RSA -D `hostname` -D
ipa-ca.example.test -C /usr/libexec/ipa/certmonger/restart_httpd -K
HTTP/`hostname` -v -w
If you aren't using ACME you can skip the SAN for ipa-ca.example.test
Restart the httpd service once it is issued.
Adjust to your hostname/domain as needed.
rob