Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 15. Replacing the web server and LDAP server certificates if they have expired in the whole IdM deployment
Identity Management (IdM) uses the following service certificates:
-
The LDAP (or
Directory) server certificate -
The web (or
httpd) server certificate - The PKINIT certificate
In an IdM deployment without a CA, certmonger does not by default track IdM service certificates or notify of their expiration. If the IdM system administrator does not manually set up notifications for these certificates, or configure certmonger to track them, the certificates will expire without notice.
Follow this procedure to manually replace expired certificates for the httpd and LDAP services running on the server.idm.example.com IdM server.
The HTTP and LDAP service certificates have different keypairs and subject names on different IdM servers. Therefore, you must renew the certificates on each IdM server individually.
Prerequisites
- The HTTP and LDAP certificates have expired on all IdM replicas in the topology. If not, see Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica.
-
You have
rootaccess to the IdM server and replicas. -
You know the
Directory Managerpassword. You have created backups of the following directories and files:
-
/etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -
/etc/httpd/alias -
/var/lib/certmonger -
/var/lib/ipa/certs/
-
Procedure
-
Optional: Perform a backup of
/var/lib/ipa/privateand/var/lib/ipa/passwds. If you are not using the same CA to sign the new certificates or if the already installed CA certificate is no longer valid, update the information about the external CA in your local database with a file that contains a valid CA certificate chain of the external CA. The file is accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
Install the certificates available in ca_certificate_chain_file.crt as additional CA certificates into IdM:
ipa-cacert-manage install ca_certificate_chain_file.crt
# ipa-cacert-manage install ca_certificate_chain_file.crtCopy to Clipboard Copied! Update the local IdM certificate databases with certificates from ca_certicate_chain_file.crt:
ipa-certupdate
# ipa-certupdateCopy to Clipboard Copied!
Request the certificates for
httpdand LDAP:Create a certificate signing request (CSR) for the Apache web server running on your IdM instances to your third party CA using the
OpenSSLutility.The creation of a new private key is optional. If you still have the original private key, you can use the
-inoption with theopenssl reqcommand to specify the input file name to read the request from:openssl req -new -nodes -in /var/lib/ipa/private/httpd.key -out /tmp/http.csr -addext 'subjectAltName = DNS:_server.idm.example.com_, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:HTTP/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'
$ openssl req -new -nodes -in /var/lib/ipa/private/httpd.key -out /tmp/http.csr -addext 'subjectAltName = DNS:_server.idm.example.com_, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:HTTP/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'Copy to Clipboard Copied! If you want to create a new key:
openssl req -new -newkey rsa:2048 -nodes -keyout /var/lib/ipa/private/httpd.key -out /tmp/http.csr -addext 'subjectAltName = DNS:server.idm.example.com, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:HTTP/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'
$ openssl req -new -newkey rsa:2048 -nodes -keyout /var/lib/ipa/private/httpd.key -out /tmp/http.csr -addext 'subjectAltName = DNS:server.idm.example.com, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:HTTP/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'Copy to Clipboard Copied!
Create a certificate signing request (CSR) for the LDAP server running on your IdM instances to your third party CA using the
OpenSSLutility:openssl req -new -newkey rsa:2048 -nodes -keyout ~/ldap.key -out /tmp/ldap.csr -addext 'subjectAltName = DNS:server.idm.example.com, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:ldap/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'
$ openssl req -new -newkey rsa:2048 -nodes -keyout ~/ldap.key -out /tmp/ldap.csr -addext 'subjectAltName = DNS:server.idm.example.com, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:ldap/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'Copy to Clipboard Copied! -
Submit the CSRs, /tmp/http.csr and tmp/ldap.csr, to the external CA, and obtain a certificate for
httpdand a certificate for LDAP. The process differs depending on the service to be used as the external CA.
Install the certificate for
httpd:cp /path/to/httpd.crt /var/lib/ipa/certs/
# cp /path/to/httpd.crt /var/lib/ipa/certs/Copy to Clipboard Copied! Install the LDAP certificate into an NSS database:
Optional: List the available certificates:
certutil -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -L
# certutil -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,uCopy to Clipboard Copied! The default certificate nickname is Server-Cert, but it is possible that a different name was applied.
Remove the old invalid certificate from the NSS database (
NSSDB) by using the certificate nickname from the previous step:certutil -D -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -n 'Server-Cert' -f /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txt
# certutil -D -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -n 'Server-Cert' -f /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txtCopy to Clipboard Copied! Create a PKCS12 file to ease the import process into
NSSDB:openssl pkcs12 -export -in ldap.crt -inkey ldap.key -out ldap.p12 -name Server-Cert
# openssl pkcs12 -export -in ldap.crt -inkey ldap.key -out ldap.p12 -name Server-CertCopy to Clipboard Copied! Install the created PKCS#12 file into the
NSSDB:pk12util -i ldap.p12 -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -k /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txt
# pk12util -i ldap.p12 -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -k /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txtCopy to Clipboard Copied! Check that the new certificate has been successfully imported:
certutil -L -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/
# certutil -L -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/Copy to Clipboard Copied!
Restart the
httpdservice:systemctl restart httpd.service
# systemctl restart httpd.serviceCopy to Clipboard Copied! Restart the
Directoryservice:systemctl restart dirsrv@IDM-EXAMPLE-COM.service
# systemctl restart dirsrv@IDM-EXAMPLE-COM.serviceCopy to Clipboard Copied! -
Perform all the previous steps on all your IdM replicas. This is a prerequisite for establishing
TLSconnections between the replicas. Enroll the new certificates to LDAP storage:
Replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate:
ipa-server-certinstall -w --pin=password /var/lib/ipa/private/httpd.key /var/lib/ipa/certs/httpd.crt
# ipa-server-certinstall -w --pin=password /var/lib/ipa/private/httpd.key /var/lib/ipa/certs/httpd.crtCopy to Clipboard Copied! In the command above:
-
The
-woption specifies that you are installing a certificate into the web server. -
The
--pinoption specifies the password protecting the private key.
-
The
-
When prompted, enter the
Directory Managerpassword. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate:
ipa-server-certinstall -d --pin=password /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ldap.key /path/to/ldap.crt
# ipa-server-certinstall -d --pin=password /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ldap.key /path/to/ldap.crtCopy to Clipboard Copied! In the command above:
-
The
-doption specifies that you are installing a certificate into the LDAP server. -
The
--pinoption specifies the password protecting the private key.
-
The
-
When prompted, enter the
Directory Managerpassword. Restart the
httpdservice:systemctl restart httpd.service
# systemctl restart httpd.serviceCopy to Clipboard Copied! Restart the
Directoryservice:systemctl restart dirsrv@IDM-EXAMPLE-COM.service
# systemctl restart dirsrv@IDM-EXAMPLE-COM.serviceCopy to Clipboard Copied!
- Execute the commands from the previous step on all the other affected replicas.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}