Red Hat SummitChapter 19. Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica
As an RHEL Identity Management (IdM) system administrator, you can manually replace the certificates for the web (or httpd) and LDAP (or Directory) services running on an IdM server. For example, this might be necessary if the certificates are nearing expiration and if the certmonger utility is either not configured to renew the certificates automatically or if the certificates are signed by an external certificate authority (CA).
The example installs the certificates for the services running on the server.idm.example.com IdM server. You obtain the certificates from an external CA.
The HTTP and LDAP service certificates have different keypairs and subject names on different IdM servers and so you must renew the certificates on each IdM server individually.
Prerequisites
-
On at least one other IdM replica in the topology with which the IdM server has a replication agreement, the web and LDAP certificates are still valid. This is a prerequisite for the
ipa-server-certinstallcommand. The command requires aTLSconnection to communicate with other IdM replicas. However, with invalid certificates, such a connection could not be established, and theipa-server-certinstallcommand would fail. -
You have
rootaccess to the IdM server. -
You know the
Directory Managerpassword. - You have access to a file storing the CA certificate chain of the external CA, ca_certificate_chain_file.crt.
Procedure
Install the certificates contained in ca_certificate_chain_file.crt as additional CA certificates to IdM:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-cacert-manage install
# ipa-cacert-manage installUpdate the local IdM certificate databases with certificates from ca_certicate_chain_file.crt:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-certupdate
# ipa-certupdateGenerate a private key and a certificate signing request (CSR) using the
OpenSSLutility:Copy to Clipboard Copied! Toggle word wrap Toggle overflow openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'
$ openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA. After the CA signs the certificate, import the certificate to the IdM server.
On the IdM server, replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-server-certinstall -w --pin=password new.key new.crt
# ipa-server-certinstall -w --pin=password new.key new.crtIn the command above:
-
The
-woption specifies that you are installing a certificate into the web server. -
The
--pinoption specifies the password protecting the private key.
-
The
-
When prompted, enter the
Directory Managerpassword. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-server-certinstall -d --pin=password new.key new.cert
# ipa-server-certinstall -d --pin=password new.key new.certIn the command above:
-
The
-doption specifies that you are installing a certificate into the LDAP server. -
The
--pinoption specifies the password protecting the private key.
-
The
-
When prompted, enter the
Directory Managerpassword. Restart the
httpdservice:Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl restart httpd.service
# systemctl restart httpd.serviceRestart the
Directoryservice:Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl restart dirsrv@IDM.EXAMPLE.COM.service
# systemctl restart dirsrv@IDM.EXAMPLE.COM.serviceIf a subCA has been removed or replaced on the servers, update the clients:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa-certupdate
# ipa-certupdate
Additional resources
-
ipa-server-certinstall(1)man page on your system
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}