Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 20. Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica
As an Identity Management (IdM) system administrator, you can manually replace the certificates for the web (or httpd) and LDAP (or Directory) services running on an IdM server. For example, this might be necessary if the certificates are nearing expiration and if the certmonger utility is either not configured to renew the certificates automatically or if the certificates are signed by an external certificate authority (CA).
The example installs the certificates for the services running on the server.idm.example.com IdM server. You obtain the certificates from an external CA.
The HTTP and LDAP service certificates have different keypairs and subject names on different IdM servers and so you must renew the certificates on each IdM server individually.
Prerequisites
-
On at least one other IdM replica in the topology with which the IdM server has a replication agreement, the web and LDAP certificates are still valid. This is a prerequisite for the
ipa-server-certinstallcommand. The command requires aTLSconnection to communicate with other IdM replicas. However, with invalid certificates, such a connection could not be established, and theipa-server-certinstallcommand would fail. In that case, see Replacing the web server and LDAP server certificates if they have expired in the whole IdM deployment. -
You have
rootaccess to the IdM server. -
You know the
Directory Managerpassword. - You have access to a file storing the CA certificate chain of the external CA, ca_certificate_chain_file.crt.
Procedure
Install the certificates contained in ca_certificate_chain_file.crt as additional CA certificates to IdM:
ipa-cacert-manage install
# ipa-cacert-manage installCopy to Clipboard Copied! Toggle word wrap Toggle overflow Update the local IdM certificate databases with certificates from ca_certicate_chain_file.crt:
ipa-certupdate
# ipa-certupdateCopy to Clipboard Copied! Toggle word wrap Toggle overflow Generate a private key and a certificate signing request (CSR) using the
OpenSSLutility:openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'
$ openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'Copy to Clipboard Copied! Toggle word wrap Toggle overflow Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA. After the CA signs the certificate, import the certificate to the IdM server.
On the IdM server, replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate:
ipa-server-certinstall -w --pin=password new.key new.crt
# ipa-server-certinstall -w --pin=password new.key new.crtCopy to Clipboard Copied! Toggle word wrap Toggle overflow In the command above:
-
The
-woption specifies that you are installing a certificate into the web server. -
The
--pinoption specifies the password protecting the private key.
-
The
-
When prompted, enter the
Directory Managerpassword. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate:
ipa-server-certinstall -d --pin=password new.key new.cert
# ipa-server-certinstall -d --pin=password new.key new.certCopy to Clipboard Copied! Toggle word wrap Toggle overflow In the command above:
-
The
-doption specifies that you are installing a certificate into the LDAP server. -
The
--pinoption specifies the password protecting the private key.
-
The
-
When prompted, enter the
Directory Managerpassword. Restart the
httpdservice:systemctl restart httpd.service
# systemctl restart httpd.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow Restart the
Directoryservice:systemctl restart dirsrv@IDM.EXAMPLE.COM.service
# systemctl restart dirsrv@IDM.EXAMPLE.COM.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow If a subCA has been removed or replaced on the servers, update the clients:
ipa-certupdate
# ipa-certupdateCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}