19.7. 使 certmonger 恢复跟踪 CA 副本中的 IdM 证书
此流程演示,在证书跟踪被中断后,如何使 certmonger 恢复对带有集成证书颁发机构的 IdM 部署很重要的 Identity Management(IdM)系统证书的跟踪。IdM 主机在续订系统证书的过程中无法从 IdM 取消注册,或者复制拓扑无法正常工作。此流程还演示,如何使 certmonger 恢复对 IdM 服务证书(即 HTTP、LDAP 和 PKINIT 证书)的跟踪。
先决条件
- 要恢复跟踪系统证书的主机是一个 IdM 服务器,它也是 IdM 证书颁发机构(CA),而不是 IdM CA 续订服务器。
步骤
获取 subsystem CA 证书的 PIN:
# grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf在子系统 CA 证书中添加跟踪,使用上一步中获取的 PIN 替换下面的命令中的
[internal PIN]:# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"' -T caCACert # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"' -T caSignedLogCert # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"' -T caOCSPCert # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"' -T caSubsystemCert # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"' -T caServerCert
为剩余的 IdM 证书(
HTTP、LDAP、IPA 续订代理和PKINIT证书)添加跟踪:# getcert start-tracking -f /var/lib/ipa/certs/httpd.crt -k /var/lib/ipa/private/httpd.key -p /var/lib/ipa/passwds/idm.example.com-443-RSA -c IPA -C /usr/libexec/ipa/certmonger/restart_httpd -T caIPAserviceCert # getcert start-tracking -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM -n "Server-Cert" -c IPA -p /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txt -C '/usr/libexec/ipa/certmonger/restart_dirsrv "IDM-EXAMPLE-COM"' -T caIPAserviceCert # getcert start-tracking -f /var/lib/ipa/ra-agent.pem -k /var/lib/ipa/ra-agent.key -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/renew_ra_cert_pre -C /usr/libexec/ipa/certmonger/renew_ra_cert -T caSubsystemCert # getcert start-tracking -f /var/kerberos/krb5kdc/kdc.crt -k /var/kerberos/krb5kdc/kdc.key -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/renew_ra_cert_pre -C /usr/libexec/ipa/certmonger/renew_kdc_cert -T KDCs_PKINIT_Certs
重启
certmonger:# systemctl restart certmonger在
certmonger启动后等待一分钟,然后检查新证书的状态:# getcert list
其他资源
- 如果您的 IdM 系统证书已全部过期,请参阅 这个以知识为中心的支持(KCS)解决方案,来手动更新 IdM CA 服务器上的 IdM 系统证书,该服务器也是 CA 续订服务器和 CRL 发布者服务器。然后,请按照 此 KCS 解决方案中描述的步骤手动在拓扑中的所有其它 CA 服务器中续订 IdM 系统证书。
