Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 21. Replacing the web server and LDAP server certificates if they have expired in the whole IdM deployment

Administrators must manually replace expired HTTP and LDAP certificates to restore system functionality. This recovery process involves generating new signing requests, obtaining external signatures, and installing the renewed credentials on every replica within the topology.

In an IdM deployment without an integrated certificate authority (CA), the certmonger service does not, by default, track IdM service certificates or provide expiration warnings. If the IdM system administrator does not manually configure certificate tracking or set up notifications, the certificates may expire without notice.

Follow this procedure to manually replace expired certificates for the httpd and LDAP services running on the server.idm.example.com IdM server with a valid certificate chain.

Note

The httpd and LDAP service certificates have different key pairs and subject names on different IdM servers. Therefore, you must renew the certificates on each IdM server individually.

Prerequisites

  • The httpd and LDAP certificates have expired on all IdM replicas in the topology. If not, see Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica.
  • You have root access to the IdM server and replicas.
  • You know the Directory Manager password.

  • You have created backups of the following directories and files:

    • /etc/dirsrv/slapd-IDM-EXAMPLE-COM/
    • /etc/httpd/alias
    • /var/lib/certmonger
    • /var/lib/ipa/certs/
  • If the new httpd/LDAP certificate is going to be signed by a different external CA than the old one, or if the already installed CA certificate is no longer valid, you have access to the files storing the CA certificate chain of the external CA.

Procedure

  1. Optional: Perform a backup of /var/lib/ipa/private and /var/lib/ipa/passwds.

  2. If you are not using the same certificate authority (CA) to sign the new certificates, or if the already installed CA certificate is no longer valid, update the information about the external CA in your local database with files that contain a valid CA certificate chain of the external CA. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.

    1. Install the CA certificate: 

      # ipa-cacert-manage install /path/to/ca.crt
      Important

      If the new external CA certificate has the same subject as the old one but is different because it uses a different key, you can use it only if you have met the following conditions:

      • The two certificates have identical trust flags.
      • The CAs share the same nickname.
      • The X509 extensions listed in the certificate include the Authority Key Identifier (AKI) extension.

    2. Install the rest of the certificate chain as additional CA certificates into IdM. Because the ipa-cacert-manage install command reads only the first certificate in a file, you must install the full CA chain one certificate at a time. For example, if the chain includes two certificates, save each one in a separate file and run ipa-cacert-manage install individually for each file: 

      # ipa-cacert-manage install /path/to/intermediate-ca.crt
       
      # ipa-cacert-manage install /path/to/root-ca.crt

    3. Update the local IdM certificate databases with certificates from the certificate chain: 

      # ipa-certupdate

  3. Request the certificates for httpd and LDAP:

    1. Create a certificate signing request (CSR) for the Apache web server running on your IdM instances to your third party CA using the OpenSSL utility.

      • The creation of a new private key is optional. If you still have the original private key, you can use the -in option with the openssl req command to specify the input file name to read the request from: 

        $ openssl req -new -nodes -in /var/lib/ipa/private/httpd.key -out /tmp/http.csr -addext 'subjectAltName = DNS:_server.idm.example.com_, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:HTTP/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'

      • If you want to create a new key: 

        $ openssl req -new -newkey rsa:2048 -nodes -keyout /var/lib/ipa/private/httpd.key -out /tmp/http.csr -addext 'subjectAltName = DNS:server.idm.example.com, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:HTTP/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'

    2. Create a certificate signing request (CSR) for the LDAP server running on your IdM instances to your third party CA using the OpenSSL utility: 

      $ openssl req -new -newkey rsa:2048 -nodes -keyout ~/ldap.key -out /tmp/ldap.csr -addext 'subjectAltName = DNS:server.idm.example.com, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:ldap/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'
    3. Submit the CSRs, /tmp/http.csr and tmp/ldap.csr, to the external CA, and obtain a certificate for httpd and a certificate for LDAP. The process differs depending on the service to be used as the external CA.

  4. Install the certificate for httpd : 

    # cp /path/to/httpd.crt /var/lib/ipa/certs/

  5. Install the LDAP certificate into an NSS database:

    1. Optional: List the available certificates: 

      # certutil -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -L
       
      Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u

      The default certificate nickname is Server-Cert, but it is possible that a different name was applied.

    2. Remove the old invalid certificate from the NSS database (NSSDB) by using the certificate nickname from the previous step: 

      # certutil -D -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -n 'Server-Cert' -f /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txt

    3. Create a PKCS12 file to ease the import process into NSSDB: 

      # openssl pkcs12 -export -in ldap.crt -inkey ldap.key -out ldap.p12 -name Server-Cert

    4. Install the created PKCS#12 file into the NSSDB: 

      # pk12util -i ldap.p12 -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -k /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txt

    5. Check that the new certificate has been successfully imported: 

      # certutil -L -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/

  6. Restart the httpd service: 

    # systemctl restart httpd.service

  7. Restart the Directory service: 

    # systemctl restart dirsrv@IDM-EXAMPLE-COM.service
  8. Perform all the previous steps on all your IdM replicas. This is a prerequisite for establishing TLS connections between the replicas.

  9. Enroll the new certificates to LDAP storage:

    1. Replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate: 

      # ipa-server-certinstall -w --pin=password /var/lib/ipa/private/httpd.key /var/lib/ipa/certs/httpd.crt

      In the command above:

      • The -w option specifies that you are installing a certificate into the web server.
      • The --pin option specifies the password protecting the private key.
    2. When prompted, enter the Directory Manager password.

    3. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate: 

      # ipa-server-certinstall -d --pin=password /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ldap.key /path/to/ldap.crt

      In the command above:

      • The -d option specifies that you are installing a certificate into the LDAP server.
      • The --pin option specifies the password protecting the private key.
    4. When prompted, enter the Directory Manager password.

    5. Restart the httpd service: 

      # systemctl restart httpd.service

    6. Restart the Directory service: 

      # systemctl restart dirsrv@IDM-EXAMPLE-COM.service
  10. Execute the commands from the previous step on all the other affected replicas.
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début