26.9. Replacing the Web Server's and LDAP Server's Certificate
To replace the service certificates for the web server and LDAP server:
- Request a new certificate. You can do this using:
- the integrated CA: see Section 24.1.1, “Requesting New Certificates for a User, Host, or Service” for details.
- an external CA: generate a private key and certificate signing request (CSR). For example, using OpenSSL:
$ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout new.key -out new.csr -subj '/CN=idmserver.idm.example.com,O=IDM.EXAMPLE.COM'
Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA.
- Replace the Apache web server's private key and certificate:
[root@ipaserver ~]# ipa-server-certinstall -w --pin=password new.key new.crt
- Replace the LDAP server's private key and certificate:
[root@ipaserver ~]# ipa-server-certinstall -d --pin=password new.key new.cert