26.6. Installing Third-Party Certificates for HTTP or LDAP
Installing a new SSL server certificate for the Apache Web Server, the Directory Server, or both replaces the current SSL certificate with a new one. To do this, you need:
- your private SSL key (
ssl.key
in the procedure below) - your SSL certificate (
ssl.crt
in the procedure below)
For a list of accepted formats of the key and certificate, see the ipa-server-certinstall(1) man page.
Prerequisites
The
ssl.crt
certificate must be signed by a CA known by the service you are loading the certificate into. If this is not the case, install the CA certificate of the CA that signed ssl.crt
into IdM, as described in Section 26.3, “Installing a CA Certificate Manually”.
This ensures that IdM recognizes the CA, and thus accepts
ssl.crt
.
Installing the Third-Party Certificate
- Use the
ipa-server-certinstall
utility to install the certificate. Specify where you want to install it:--http
installs the certificate in the Apache Web Server--dirsrv
installs the certificate on the Directory Server
For example, to install the SSL certificate into both:# ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
- Restart the server into which you installed the certificate.
- To restart the Apache Web Server:
# systemctl restart httpd.service
- To restart the Directory Server:
# systemctl restart dirsrv@REALM.service
- To verify that the certificate has been correctly installed, make sure it is present in the certificate database.
- To display the Apache certificate database:
# certutil -L -d /etc/httpd/alias
- To display the Directory Server certificate database:
# certutil -L -d /etc/dirsrv/slapd-REALM/