Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 20. Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica

As an Identity Management (IdM) system administrator, you can manually replace the certificates used by the web (or httpd) and LDAP (or Directory) services running on an IdM server. This might be necessary if the certificates are nearing expiration and either the certmonger utility is not configured for automatic renewal, or the certificates are signed by an external certificate authority (CA).

The example describes how to install the certificates for the services running on the server.idm.example.com IdM server. You obtain the certificates from an external CA.

Note

The httpd and LDAP service certificates have different key pairs and subject names on different IdM servers and so you must renew the certificates on each IdM server individually.

Prerequisites

  • On at least one other IdM replica in the topology with which the IdM server has a replication agreement, the web and LDAP certificates are still valid. This is a prerequisite for the ipa-server-certinstall command, which requires a TLS connection to communicate with other IdM replicas. If the certificates are invalid, the connection cannot be established, and the command fails. In that case, see Replacing the web server and LDAP server certificates if they have expired in the whole IdM deployment.
  • You have root access to the IdM server.
  • You know the Directory Manager password.
  • If the new httpd/LDAP certificate is going to be signed by a different external CA than the old one, you have access to the files storing the CA certificate chain of the external CA.

Procedure

  1. If the new httpd/LDAP certificate is going to be signed by a different CA than the old one, install the new external CA certificate and the whole CA certificate chain of the external CA as additional CA certificates to IdM. The files storing the certificates are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.

    1. Install the CA certificate: 

      # ipa-cacert-manage install /path/to/ca.crt
      Copy to Clipboard Toggle word wrap
      Important

      If the new external CA certificate has the same subject as the old one but is different because it uses a different key, you can use it only if you have met the following conditions:

      • The two certificates have identical trust flags.
      • The CAs share the same nickname.
      • The X509 extensions listed in the certificate include the Authority Key Identifier (AKI) extension.

    2. Install the rest of the certificate chain as additional CA certificates into IdM. Because the ipa-cacert-manage install command reads only the first certificate in a file, you must install the full CA chain one certificate at a time. For example, if the chain includes two certificates, save each one in a separate file and run ipa-cacert-manage install individually for each file: 

      # ipa-cacert-manage install /path/to/intermediate-ca.crt
      Copy to Clipboard Toggle word wrap 
      # ipa-cacert-manage install /path/to/root-ca.crt
      Copy to Clipboard Toggle word wrap

    3. Update the local IdM certificate databases with certificates from the certificate chain: 

      # ipa-certupdate
      Copy to Clipboard Toggle word wrap

  2. Generate a private key and a certificate signing request (CSR) using the OpenSSL utility: 

    $ openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'
    Copy to Clipboard Toggle word wrap

    Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA. After the CA signs the certificate, import the certificate to the IdM server.

  3. On the IdM server, replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate: 

    # ipa-server-certinstall -w --pin=password new.key new.crt
    Copy to Clipboard Toggle word wrap

    In the command above:

    • The -w option specifies that you are installing a certificate into the web server.
    • The --pin option specifies the password protecting the private key.
  4. When prompted, enter the Directory Manager password.

  5. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate: 

    # ipa-server-certinstall -d --pin=password new.key new.cert
    Copy to Clipboard Toggle word wrap

    In the command above:

    • The -d option specifies that you are installing a certificate into the LDAP server.
    • The --pin option specifies the password protecting the private key.
  6. When prompted, enter the Directory Manager password.

  7. Restart the httpd service: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

  8. Restart the Directory service: 

    # systemctl restart dirsrv@IDM.EXAMPLE.COM.service
    Copy to Clipboard Toggle word wrap

  9. If a subCA has been removed or replaced on the servers, update the clients: 

    # ipa-certupdate
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat