Ce contenu n'est pas disponible dans la langue sélectionnée.
26.2. Renewing Certificates
For details on:
- automatic certificate renewal, see Section 26.2.1, “Renewing Certificates Automatically”
- manual certificate renewal, see Section 26.2.2, “Renewing CA Certificates Manually”
26.2.1. Renewing Certificates Automatically
The
certmonger
service automatically renews the following certificates 28 days before their expiration date:
- CA certificate issued by the IdM CA as the root CA
- Subsystem and server certificates issued by the integrated IdM CA that are used by internal IdM services
To automatically renew sub-CA CA certificates, they must be listed on the
certmonger
tracking list. To update the tracking list:
[root@ipaserver ~]# ipa-certupdate trying https://idmserver.idm.example.com/ipa/json Forwarding 'schema' to json server 'https://idmserver.idm.example.com/ipa/json' trying https://idmserver.idm.example.com/ipa/json Forwarding 'ca_is_enabled' to json server 'https://idmserver.idm.example.com/ipa/json' Forwarding 'ca_find/1' to json server 'https://idmserver.idm.example.com/ipa/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful
Note
If you are using an external CA as the root CA, you must renew the certificates manually, as described in Section 26.2.2, “Renewing CA Certificates Manually”. The
certmonger
service cannot automatically renew certificates signed by an external CA.
For more information on how
certmonger
monitors certificate expiration dates, see Tracking Certificates with certmonger in the System-Level Authentication Guide.
To verify that automatic renewal works as expected, examine
certmonger
log messages in the /var/log/messages
file:
- After a certificate is renewed,
certmonger
records message like the following to indicate that the renewal operation has succeeded or failed:Certificate named "NSS Certificate DB" in token "auditSigningCert cert-pki-ca" in database "/var/lib/pki-ca/alias" renew success
- As the certificate nears its expiration,
certmonger
logs the following message:certmonger: Certificate named "NSS Certificate DB" in token "auditSigningCert cert-pki-ca" in database "/var/lib/pki-ca/alias" will not be valid after 20160204065136.
26.2.2. Renewing CA Certificates Manually
You can use the
ipa-cacert-manage
utility to manually renew:
- self-signed IdM CA certificate
- externally-signed IdM CA certificate
The certificates renewed with the ipa-cacert-manage renew command use the same key pair and subject name as the old certificates. Renewing a certificate does not remove its previous version to enable certificate rollover.
For details, see the ipa-cacert-manage(1) man page.
26.2.2.1. Renewing a Self-Signed IdM CA Certificate Manually
- Run the ipa-cacert-manage renew command. The command does not require you to specify the path to the certificate.
- The renewed certificate is now present in the LDAP certificate store and in the
/etc/pki/pki-tomcat/alias
NSS database. - Run the
ipa-certupdate
utility on all servers and clients to update them with the information about the new certificate from LDAP. You must runipa-certupdate
on every server and client separately.ImportantAlways runipa-certupdate
after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
To make sure the renewed certificate is properly installed, use the
certutil
utility to list the certificates in the database. For example:
# certutil -L -d /etc/pki/pki-tomcat/alias
26.2.2.2. Renewing an Externally-Signed IdM CA Certificate Manually
- Run the ipa-cacert-manage renew --external-ca command.
- The command creates the
/var/lib/ipa/ca.csr
CSR file. Submit the CSR to the external CA to get the renewed CA certificate issued. - Run ipa-cacert-manage renew again, and this time specify the renewed CA certificate and the external CA certificate chain files using the
--external-cert-file
option. For example:# ipa-cacert-manage renew --external-cert-file=/tmp/servercert20110601.pem --external-cert-file=/tmp/cacert.pem
- The renewed CA certificate and the external CA certificate chain are now present in the LDAP certificate store and in the
/etc/pki/pki-tomcat/alias/
NSS database. - Run the
ipa-certupdate
utility on all servers and clients to update them with the information about the new certificate from LDAP. You must runipa-certupdate
on every server and client separately.ImportantAlways runipa-certupdate
after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
To make sure the renewed certificate is properly installed, use the
certutil
utility to list the certificates in the database. For example:
# certutil -L -d /etc/pki/pki-tomcat/alias/
26.2.3. Renewing Expired System Certificates When IdM is Offline
If a system certificate has expired, IdM fails to start. IdM supports renewing system certificates even in this situation by using the
ipa-cert-fix
tool.
Prerequisite
- Ensure that the LDAP service is running by entering the ipactl start --ignore-service-failures command on the host.
Procedure 26.1. Renewing all expired system certificates on IdM servers
- On a CA in the IdM domain:
- Start the ipa-cert-fix utility to analyse the system and list expired certificates:
# ipa-cert-fix ... The following certificates will be renewed: Dogtag sslserver certificate: Subject: CN=ca1.example.com,O=EXAMPLE.COM 201905222205 Serial: 13 Expires: 2019-05-12 05:55:47 ... Enter "yes" to proceed:
- Enter yes to start the renewal process:
Enter "yes" to proceed: yes Proceeding. Renewed Dogtag sslserver certificate: Subject: CN=ca1.example.com,O=EXAMPLE.COM 201905222205 Serial: 268369925 Expires: 2021-08-14 02:19:33 ... Becoming renewal master. The ipa-cert-fix command was successful
It can take up to one minute beforeipa-cert-fix
renews all expired certificates.NoteIf you ran the ipa-cert-fix utility on a CA host that was not the renewal master, and the utility renewed shared certificates, this host automatically becomes the new renewal master in the domain. There must be always only one renewal master in the domain to avoid inconsistencies. - Optionally, verify that all services are running:
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
- On other servers in the IdM domain:
- Restart IdM with the
--force
parameter:# ipactl restart --force
With the--force
parameter, theipactl
utility ignores individual startup failures. For example, if the server is also a CA, thepki-tomcat
service fails to start. This is expected and ignored because of using the--force
parameter. - After the restart, verify that the
certmonger
service renewed the certificates:# getcert list | egrep '^Request|status:|subject:' Request ID '20190522120745': status: MONITORING subject: CN=IPA RA,O=EXAMPLE.COM 201905222205 Request ID '20190522120834': status: MONITORING subject: CN=Certificate Authority,O=EXAMPLE.COM 201905222205 ...
Note that it can take some time beforecertmonger
renews the shared certificates on the replica. - If the server is also a CA, the previous command reports CA_UNREACHABLE for the certificate the
pki-tomcat
service uses:Request ID '20190522120835': status: CA_UNREACHABLE subject: CN=ca2.example.com,O=EXAMPLE.COM 201905222205 ...
To renew this certificate, use theipa-cert-fix
utility:# ipa-cert-fix Dogtag sslserver certificate: Subject: CN=ca2.example.com,O=EXAMPLE.COM Serial: 3 Expires: 2019-05-11 12:07:11 Enter "yes" to proceed: yes Proceeding. Renewed Dogtag sslserver certificate: Subject: CN=ca2.example.com,O=EXAMPLE.COM 201905222205 Serial: 15 Expires: 2019-08-14 04:25:05 The ipa-cert-fix command was successful