On 3/15/19 8:16 PM, Azim Siddiqui wrote:
Hi Florence,
Hope you are doing good. I tried the way you said. But still, it is
showing certificate is expired.
Let me be more clear about it.
We have apache running with an expired certificate which is signed by
FreeIPA. Now I want to renew or create a new certificate. So can you
please tell me how can I renew or create a new certificate signed by
Freeipa.
As whenever I am going to the Apache URL from the browser, it is showing
site is not secured.
Thanks & Regards,
Azeem
Hi,
(re-adding freeipa-users in CC).
Can you first confirm that you are referring to a cert for the apache
server *not running on one of the FreeIPA masters*?
Then please explain how you originally obtained the certificate. Also
include the following information:
- relevant apache configuration (if using mod_ssl, then
/etc/httpd/conf.d/ssl.conf or if using mod_nss, /etc/httpd/conf.d/nss.conf).
- output of getcert list on the host running apache
flo
On Wed, 19 Dec 2018 at 14:04, Florence Blanc-Renaud
<flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users wrote:
> Hello,
>
> Hope you are doing good. I have a question regarding freeIPA host
> certificates.
> We are using FreeIPA as our LDAP. We have some certificates for
hosts ex
> :- http/uat.com <
http://uat.com> <
http://uat.com>.
> And we deploying the certs in Haproxy in PEM format.
> But the certificates for this host has been expired.
> Can you please let me know in detail how to renew my expired
> certificates for the hosts. Please provide me the commands and steps.
>
Hi,
from your description I understand that you are referring to
certificates delivered by IPA CA for one of the IPA-enrolled hosts, but
not the master's Server-Cert used for IPA Web GUI.
In this case, how did you obtain the certificate? If you used a method
similar to what is described in this wiki [1], the certificate
should be
monitored by certmonger and automatically renewed.
If you followed instead this wiki [2], the certificate is not
tracked by
certmonger and needs to be manually renewed. You need to do the
following, assuming that the cert is in a NSS database $NSSDB on the
IPA
client:
- find the key nickname
# certutil -K -d $NSSDB
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private
Key and Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa 7c0646606b33ab683ee4d1790719ebc4154db0f6 NSS
Certificate
DB:Server-Cert
(note the key nickname for the next command)
- create a new certificate request that will re-use the existing key
(replace
DOMAIN.COM <
http://DOMAIN.COM> with your IPA domain, in
uppercase):
# certutil -R -d $NSSDB -k "NSS Certificate DB:Server-Cert" -s
cn=`hostname,O=DOMAIN.COM <
http://DOMAIN.COM>" -a -o /tmp/cert.csr
Enter Password or Pin for "NSS Certificate DB":
- request a certificate using the new certificate request
# kinit admin
# ipa cert-request --principal=HTTP/`hostname` /tmp/web.csr
(the output will display a Serial Number that needs to be noted for the
next command)
- remove the previous cert from the NSS database:
# certutil -D -d $NSSDB -n Server-Cert
- export the certificate to a file, then import the certificate in the
NSS database:
# ipa cert-show $SERIAL_NUMBER --out=/tmp/server.crt
# certutil -A -d $NSSDB -n Server-Cert -t u,u,u -i /tmp/server.crt
HTH,
flo
[1]
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert...
[2]
https://www.freeipa.org/page/PKI#Manual_certificate_requests
> FreeIPA, version: 4.2.0
>
> Thanks & Regards,
> Azeem
>
>
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>