Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 20. Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica

As an Identity Management (IdM) system administrator, you can manually replace the certificates used by the web (or httpd) and LDAP (or Directory) services running on an IdM server. This might be necessary if the certificates are nearing expiration and either the certmonger utility is not configured for automatic renewal, or the certificates are signed by an external certificate authority (CA).

The example describes how to install the certificates for the services running on the server.idm.example.com IdM server. You obtain the certificates from an external CA.

Note

The httpd and LDAP service certificates have different key pairs and subject names on different IdM servers and so you must renew the certificates on each IdM server individually.

Prerequisites

  • On at least one other IdM replica in the topology with which the IdM server has a replication agreement, the web and LDAP certificates are still valid. This is a prerequisite for the ipa-server-certinstall command, which requires a TLS connection to communicate with other IdM replicas. If the certificates are invalid, the connection cannot be established, and the command fails. In that case, see Replacing the web server and LDAP server certificates if they have expired in the whole IdM deployment.
  • You have root access to the IdM server.
  • You know the Directory Manager password.
  • If the new httpd/LDAP certificate is going to be signed by a different external CA than the old one, you have access to the files storing the CA certificate chain of the external CA.

Procedure

  1. If the new httpd/LDAP certificate is going to be signed by a different CA than the old one, install the new external CA certificate and the whole CA certificate chain of the external CA as additional CA certificates to IdM. The files storing the certificates are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.

    1. Install the CA certificate: 

      # ipa-cacert-manage install /path/to/ca.crt
      Copy to Clipboard Toggle word wrap
      Important

      If the new external CA certificate has the same subject as the old one but is different because it uses a different key, you can use it only if you have met the following conditions:

      • The two certificates have identical trust flags.
      • The CAs share the same nickname.
      • The X509 extensions listed in the certificate include the Authority Key Identifier (AKI) extension.

    2. Install the rest of the certificate chain as additional CA certificates into IdM. Because the ipa-cacert-manage install command reads only the first certificate in a file, you must install the full CA chain one certificate at a time. For example, if the chain includes two certificates, save each one in a separate file and run ipa-cacert-manage install individually for each file: 

      # ipa-cacert-manage install /path/to/intermediate-ca.crt
      Copy to Clipboard Toggle word wrap 
      # ipa-cacert-manage install /path/to/root-ca.crt
      Copy to Clipboard Toggle word wrap

    3. Update the local IdM certificate databases with certificates from the certificate chain: 

      # ipa-certupdate
      Copy to Clipboard Toggle word wrap

  2. Generate a private key and a certificate signing request (CSR) using the OpenSSL utility: 

    $ openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'
    Copy to Clipboard Toggle word wrap

    Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA. After the CA signs the certificate, import the certificate to the IdM server.

  3. On the IdM server, replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate: 

    # ipa-server-certinstall -w --pin=password new.key new.crt
    Copy to Clipboard Toggle word wrap

    In the command above:

    • The -w option specifies that you are installing a certificate into the web server.
    • The --pin option specifies the password protecting the private key.
  4. When prompted, enter the Directory Manager password.

  5. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate: 

    # ipa-server-certinstall -d --pin=password new.key new.cert
    Copy to Clipboard Toggle word wrap

    In the command above:

    • The -d option specifies that you are installing a certificate into the LDAP server.
    • The --pin option specifies the password protecting the private key.
  6. When prompted, enter the Directory Manager password.

  7. Restart the httpd service: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

  8. Restart the Directory service: 

    # systemctl restart dirsrv@IDM.EXAMPLE.COM.service
    Copy to Clipboard Toggle word wrap

  9. If a subCA has been removed or replaced on the servers, update the clients: 

    # ipa-certupdate
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat