Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 21. Replacing the web server and LDAP server certificates if they have expired in the whole IdM deployment

Identity Management (IdM) uses the following service certificates:

  • The LDAP (or Directory) server certificate
  • The web (or httpd) server certificate
  • The PKINIT certificate

In an IdM deployment without an integrated certificate authority (CA), the certmonger service does not, by default, track IdM service certificates or provide expiration warnings. If the IdM system administrator does not manually configure certificate tracking or set up notifications, the certificates may expire without notice.

Follow this procedure to manually replace expired certificates for the httpd and LDAP services running on the server.idm.example.com IdM server with a valid certificate chain.

Note

The httpd and LDAP service certificates have different key pairs and subject names on different IdM servers. Therefore, you must renew the certificates on each IdM server individually.

Prerequisites

  • The httpd and LDAP certificates have expired on all IdM replicas in the topology. If not, see Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica.
  • You have root access to the IdM server and replicas.
  • You know the Directory Manager password.

  • You have created backups of the following directories and files:

    • /etc/dirsrv/slapd-IDM-EXAMPLE-COM/
    • /etc/httpd/alias
    • /var/lib/certmonger
    • /var/lib/ipa/certs/
  • If the new httpd/LDAP certificate is going to be signed by a different external CA than the old one, or if the already installed CA certificate is no longer valid, you have access to the files storing the CA certificate chain of the external CA.

Procedure

  1. Optional: Perform a backup of /var/lib/ipa/private and /var/lib/ipa/passwds.

  2. If you are not using the same certificate authority (CA) to sign the new certificates, or if the already installed CA certificate is no longer valid, update the information about the external CA in your local database with files that contain a valid CA certificate chain of the external CA. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.

    1. Install the CA certificate: 

      # ipa-cacert-manage install /path/to/ca.crt
      Copy to Clipboard Toggle word wrap
      Important

      If the new external CA certificate has the same subject as the old one but is different because it uses a different key, you can use it only if you have met the following conditions:

      • The two certificates have identical trust flags.
      • The CAs share the same nickname.
      • The X509 extensions listed in the certificate include the Authority Key Identifier (AKI) extension.

    2. Install the rest of the certificate chain as additional CA certificates into IdM. Because the ipa-cacert-manage install command reads only the first certificate in a file, you must install the full CA chain one certificate at a time. For example, if the chain includes two certificates, save each one in a separate file and run ipa-cacert-manage install individually for each file: 

      # ipa-cacert-manage install /path/to/intermediate-ca.crt
      Copy to Clipboard Toggle word wrap 
      # ipa-cacert-manage install /path/to/root-ca.crt
      Copy to Clipboard Toggle word wrap

    3. Update the local IdM certificate databases with certificates from the certificate chain: 

      # ipa-certupdate
      Copy to Clipboard Toggle word wrap

  3. Request the certificates for httpd and LDAP:

    1. Create a certificate signing request (CSR) for the Apache web server running on your IdM instances to your third party CA using the OpenSSL utility.

      • The creation of a new private key is optional. If you still have the original private key, you can use the -in option with the openssl req command to specify the input file name to read the request from: 

        $ openssl req -new -nodes -in /var/lib/ipa/private/httpd.key -out /tmp/http.csr -addext 'subjectAltName = DNS:_server.idm.example.com_, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:HTTP/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'
        Copy to Clipboard Toggle word wrap

      • If you want to create a new key: 

        $ openssl req -new -newkey rsa:2048 -nodes -keyout /var/lib/ipa/private/httpd.key -out /tmp/http.csr -addext 'subjectAltName = DNS:server.idm.example.com, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:HTTP/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'
        Copy to Clipboard Toggle word wrap

    2. Create a certificate signing request (CSR) for the LDAP server running on your IdM instances to your third party CA using the OpenSSL utility: 

      $ openssl req -new -newkey rsa:2048 -nodes -keyout ~/ldap.key -out /tmp/ldap.csr -addext 'subjectAltName = DNS:server.idm.example.com, otherName:1.3.6.1.4.1.311.20.2.3;UTF8:ldap/server.idm.example.com@IDM.EXAMPLE.COM' -subj '/O=IDM.EXAMPLE.COM/CN=server.idm.example.com'
      Copy to Clipboard Toggle word wrap
    3. Submit the CSRs, /tmp/http.csr and tmp/ldap.csr, to the external CA, and obtain a certificate for httpd and a certificate for LDAP. The process differs depending on the service to be used as the external CA.

  4. Install the certificate for httpd : 

    # cp /path/to/httpd.crt /var/lib/ipa/certs/
    Copy to Clipboard Toggle word wrap

  5. Install the LDAP certificate into an NSS database:

    1. Optional: List the available certificates: 

      # certutil -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -L
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
      Copy to Clipboard Toggle word wrap

      The default certificate nickname is Server-Cert, but it is possible that a different name was applied.

    2. Remove the old invalid certificate from the NSS database (NSSDB) by using the certificate nickname from the previous step: 

      # certutil -D -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -n 'Server-Cert' -f /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txt
      Copy to Clipboard Toggle word wrap

    3. Create a PKCS12 file to ease the import process into NSSDB: 

      # openssl pkcs12 -export -in ldap.crt -inkey ldap.key -out ldap.p12 -name Server-Cert
      Copy to Clipboard Toggle word wrap

    4. Install the created PKCS#12 file into the NSSDB: 

      # pk12util -i ldap.p12 -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ -k /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txt
      Copy to Clipboard Toggle word wrap

    5. Check that the new certificate has been successfully imported: 

      # certutil -L -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM/
      Copy to Clipboard Toggle word wrap

  6. Restart the httpd service: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

  7. Restart the Directory service: 

    # systemctl restart dirsrv@IDM-EXAMPLE-COM.service
    Copy to Clipboard Toggle word wrap
  8. Perform all the previous steps on all your IdM replicas. This is a prerequisite for establishing TLS connections between the replicas.

  9. Enroll the new certificates to LDAP storage:

    1. Replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate: 

      # ipa-server-certinstall -w --pin=password /var/lib/ipa/private/httpd.key /var/lib/ipa/certs/httpd.crt
      Copy to Clipboard Toggle word wrap

      In the command above:

      • The -w option specifies that you are installing a certificate into the web server.
      • The --pin option specifies the password protecting the private key.
    2. When prompted, enter the Directory Manager password.

    3. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate: 

      # ipa-server-certinstall -d --pin=password /etc/dirsrv/slapd-IDM-EXAMPLE-COM/ldap.key /path/to/ldap.crt
      Copy to Clipboard Toggle word wrap

      In the command above:

      • The -d option specifies that you are installing a certificate into the LDAP server.
      • The --pin option specifies the password protecting the private key.
    4. When prompted, enter the Directory Manager password.

    5. Restart the httpd service: 

      # systemctl restart httpd.service
      Copy to Clipboard Toggle word wrap

    6. Restart the Directory service: 

      # systemctl restart dirsrv@IDM-EXAMPLE-COM.service
      Copy to Clipboard Toggle word wrap
  10. Execute the commands from the previous step on all the other affected replicas.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat