On Thu, Aug 17, 2017 at 11:01:41AM +0800, Alka Murali via FreeIPA-users wrote:
Hello,
I am using the embedded CA For FreeIPA as well as external CA Signed by
Digicert. However, the certificate will be expiring next month.
After renewal, do I need to install the certificate again using the same
steps mentioned within the link
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Similarly how will I be able to update the new certificate in my IPA
Clients too. Do I need to follow the steps below on all IPA Clients?
-----
certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i ipa.crt
cp ipa.crt /etc/ipa/ca.crt
-------
Can you please brief up the exact procedure to follow for the third party
SSL cert renewal.
Thanks and Regards,
Alka Murali
Hi Alka,
For **service certificates** use `ipa-server-certinstall` or
`certutil -A` to update the certificate(s) on the server(s).
No action is required on clients.
For **CA certificates** ... is your IPA CA certificate really signed
by Digicert? If so, use `ipa-cacert-manage install` to install the
new CA certificate. This only needs to be done on one master. Then
run `ipa-certupdate` on masters and clients to force an immediate
refresh of the CA certificates on those hosts.
Cheers,
Fraser