Hi Fraser,
Thanks for the reply.
However I have both my IPA CA and third party CA, where IPA CA is self
signed and third party CA Signed by DigiCert. So if my SSL certificate is
going to expire next month, all that I need to do is to execute 'certutil
-A" alone?
I have installed FreeIPA Server with default CA Provided by IPA
(Self-Signed). Later I have installed my Third Party SSL On top of it. Now
my SSL is going to expire next month. So is ''certutil -A" needed for the
new certificate to get used by IPA?
Thanks and Regards,
Alka Murali
On Thu, Aug 17, 2017 at 1:06 PM, Fraser Tweedale <ftweedal(a)redhat.com>
wrote:
On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via
FreeIPA-users
wrote:
> Hello,
>
> I am using the embedded CA For FreeIPA as well as external CA Signed by
> Digicert. However, the certificate will be expiring next month.
>
> After renewal, do I need to install the certificate again using the same
> steps mentioned within the link
>
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> Similarly how will I be able to update the new certificate in my IPA
> Clients too. Do I need to follow the steps below on all IPA Clients?
>
> -----
>
> certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
>
> cp ipa.crt /etc/ipa/ca.crt
>
> -------
>
> Can you please brief up the exact procedure to follow for the third party
> SSL cert renewal.
>
> Thanks and Regards,
>
> Alka Murali
>
Hi Alka,
For **service certificates** use `ipa-server-certinstall` or
`certutil -A` to update the certificate(s) on the server(s).
No action is required on clients.
For **CA certificates** ... is your IPA CA certificate really signed
by Digicert? If so, use `ipa-cacert-manage install` to install the
new CA certificate. This only needs to be done on one master. Then
run `ipa-certupdate` on masters and clients to force an immediate
refresh of the CA certificates on those hosts.
Cheers,
Fraser