Red Hat Summit22.3. Recovering from an expired IdM CA certificate
This is the most critical failure. If the IdM CA certificate itself expires, no certificates can be validated or issued. The recovery process involves renewing the CA certificate as self-signed to restore system functionality, and then optionally re-signing it with an external CA if that was your original configuration.
Procedure
On the renewal server, renew the CA certificate as self-signed. This command uses the existing private key to generate a new CA certificate with a renewed validity period:
# ipa-cacert-manage renew --self-signedIf your certificate is close to its expiry date and renewing it did not push the expiry date forward, see the When IPA’s CA certificate is close to expiry date, renewing it doesn’t push forward the expiry date solution.
Fix expired service certificates on the renewal server.
Stop the IdM services:
# ipactl stopRun the
ipa-cert-fixcommand to reset the expiration date of expired service certificates in the IdM database:# ipa-cert-fixIssue new certificates and apply them to the IdM services:
# ipa-certupdateRestart the IdM services to complete the renewal:
# ipactl start
If your original setup used an externally-signed CA, you must now get the new CA certificate re-signed by your external authority. If you use a self-signed CA, skip this step.
Generate a certificate-signing request (CSR) for the newly renewed CA:
# ipa-cacert-manage renew --external-caThis creates a CSR file at
/var/lib/ipa/ca.csr.- Submit the CSR file to your external CA and receive the newly signed certificate and the external CA’s chain of trust.
Install the newly signed certificate back into IdM:
# ipa-cacert-manage renew --external-cert-file /path/to/new-ca.pem --external-cert-file /path/to/external-chain.pem
Propagate the new CA certificate to all IdM servers and clients. Run the
ipa-certupdateon the renewal server first, then on all other replicas, and finally on all clients:# ipa-certupdateThis step is critical to ensure all systems in the topology trust the new CA certificate.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}