Chapter 20. Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica

As an Identity Management (IdM) system administrator, you can manually replace the certificates used by the web (or httpd) and LDAP (or Directory) services running on an IdM server. This might be necessary if the certificates are nearing expiration and either the certmonger utility is not configured for automatic renewal, or the certificates are signed by an external certificate authority (CA).

The example describes how to install the certificates for the services running on the server.idm.example.com IdM server. You obtain the certificates from an external CA.

Note

The httpd and LDAP service certificates have different key pairs and subject names on different IdM servers and so you must renew the certificates on each IdM server individually.

Prerequisites

On at least one other IdM replica in the topology with which the IdM server has a replication agreement, the web and LDAP certificates are still valid. This is a prerequisite for the ipa-server-certinstall command, which requires a TLS connection to communicate with other IdM replicas. If the certificates are invalid, the connection cannot be established, and the command fails. In that case, see Replacing the web server and LDAP server certificates if they have expired in the whole IdM deployment.
You have root access to the IdM server.
You know the Directory Manager password.
If the new httpd/LDAP certificate is going to be signed by a different external CA than the old one, you have access to the files storing the CA certificate chain of the external CA.

Procedure

If the new httpd/LDAP certificate is going to be signed by a different CA than the old one, install the new external CA certificate and the whole CA certificate chain of the external CA as additional CA certificates to IdM. The files storing the certificates are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
1. Install the CA certificate:
  # ipa-cacert-manage install /path/to/ca.crt
  Copy to Clipboard Toggle word wrap
  Important
  If the new external CA certificate has the same subject as the old one but is different because it uses a different key, you can use it only if you have met the following conditions:
  The two certificates have identical trust flags.
  The CAs share the same nickname.
  The X509 extensions listed in the certificate include the Authority Key Identifier (AKI) extension.
2. Install the rest of the certificate chain as additional CA certificates into IdM. Because the ipa-cacert-manage install command reads only the first certificate in a file, you must install the full CA chain one certificate at a time. For example, if the chain includes two certificates, save each one in a separate file and run ipa-cacert-manage install individually for each file:
  # ipa-cacert-manage install /path/to/intermediate-ca.crt
  Copy to Clipboard Toggle word wrap
  # ipa-cacert-manage install /path/to/root-ca.crt
  Copy to Clipboard Toggle word wrap
3. Update the local IdM certificate databases with certificates from the certificate chain:
  # ipa-certupdate
  Copy to Clipboard Toggle word wrap

Generate a private key and a certificate signing request (CSR) using the OpenSSL utility:

openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'

$ openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'

Copy to Clipboard

Toggle word wrap

Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA. After the CA signs the certificate, import the certificate to the IdM server.

On the IdM server, replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate:
```
ipa-server-certinstall -w --pin=password new.key new.crt
```
```
# ipa-server-certinstall -w --pin=password new.key new.crt
```
Copy to Clipboard Toggle word wrap
In the command above:
- The -w option specifies that you are installing a certificate into the web server.
- The --pin option specifies the password protecting the private key.
When prompted, enter the Directory Manager password.
Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate:
```
ipa-server-certinstall -d --pin=password new.key new.cert
```
```
# ipa-server-certinstall -d --pin=password new.key new.cert
```
Copy to Clipboard Toggle word wrap
In the command above:
- The -d option specifies that you are installing a certificate into the LDAP server.
- The --pin option specifies the password protecting the private key.
When prompted, enter the Directory Manager password.
Restart the httpd service:
```
systemctl restart httpd.service
```
```
# systemctl restart httpd.service
```
Copy to Clipboard Toggle word wrap

Restart the Directory service:

systemctl restart dirsrv@IDM.EXAMPLE.COM.service

# systemctl restart dirsrv@IDM.EXAMPLE.COM.service

Copy to Clipboard

Toggle word wrap

If a subCA has been removed or replaced on the servers, update the clients:
```
ipa-certupdate
```
```
# ipa-certupdate
```
Copy to Clipboard Toggle word wrap

Retour au début

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 20. Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Rendre l’open source plus inclusif

À propos de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links