Hello, list,
Our FreeIPA is 4.9.8 and the domain is wingon.hk. Initially, we installed external CA and
certificates by following this link
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
And it works fine.
The certificate expired on Aug 03 22:16:17 2023. We want to replace the certificate of
HTTP only because Unlike Mod_NSSDB, it's easy to install by placing two files PEM and
Key.
And we plan to replace external certificate of dirsrv with self-signed one.
=== httpd ===
# certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
WINGON.HK IPA CA CT,C,C
Go Daddy Secure Certificate Authority - G2 -
GoDaddy.com, Inc. CT,C,C
Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C
Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C
Server-Cert u,u,u
# certutil -d /etc/httpd/alias/ -n Server-Cert -L
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:5c:79:e8:d9:7d:6a:b4
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Go Daddy Secure Certificate Authority - G2,OU=http://cert
s.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=A
rizona,C=US"
Validity:
Not Before: Sat Jul 02 22:16:17 2022
Not After : Thu Aug 03 22:16:17 2023
Subject: "CN=*.wingon.hk"
====
So is Server-Cert of HTTP used ? It does not matter because we can still log in on the
web. Because we replace the cert and key already. Can we remove this one ?
====== dirsrv ===============
===============> /etc/dirsrv/slapd-WINGON-HK/
# certutil -d /etc/dirsrv/slapd-WINGON-HK/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=*.wingon.hk u,u,u
WINGON.HK IPA CA CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
# certutil -d /etc/dirsrv/slapd-WINGON-HK/ -L -n 'CN=*.wingon.hk'
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:5c:79:e8:d9:7d:6a:b4
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Go Daddy Secure Certificate Authority - G2,OU=http://cert
s.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=A
rizona,C=US"
Validity:
Not Before: Sat Jul 02 22:16:17 2022
Not After : Thu Aug 03 22:16:17 2023
Subject: "CN=*.wingon.hk"
=========
As you can see it's expired already. How can replace this with self-signed one ?
I used
certutil -d /etc/dirsrv/slapd-SAP-WINGON-HK/ -n Server-Cert -D
ipa-getcert request -d /etc/dirsrv/slapd-WINGON-HK/ -n ‘CN=*.wingon.hk' -K
ldap/`hostname` -N CN=`hostname`,O=WINGON.HK -g 2048 -p
/etc/dirsrv/slapd-WINGON-HK/pwdfile.txt
But it failed.
Thanks for your help.