26.2. Renewing Certificates

For details on:

26.2.1. Renewing Certificates Automatically

The certmonger service automatically renews the following certificates 28 days before their expiration date:
  • CA certificate issued by the IdM CA as the root CA
  • Subsystem and server certificates issued by the integrated IdM CA that are used by internal IdM services
To automatically renew sub-CA CA certificates, they must be listed on the certmonger tracking list. To update the tracking list:
[root@ipaserver ~]# ipa-certupdate
trying https://idmserver.idm.example.com/ipa/json
Forwarding 'schema' to json server 'https://idmserver.idm.example.com/ipa/json'
trying https://idmserver.idm.example.com/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://idmserver.idm.example.com/ipa/json'
Forwarding 'ca_find/1' to json server 'https://idmserver.idm.example.com/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

Note

If you are using an external CA as the root CA, you must renew the certificates manually, as described in Section 26.2.2, “Renewing CA Certificates Manually”. The certmonger service cannot automatically renew certificates signed by an external CA.
For more information on how certmonger monitors certificate expiration dates, see Tracking Certificates with certmonger in the System-Level Authentication Guide.
To verify that automatic renewal works as expected, examine certmonger log messages in the /var/log/messages file:
  • After a certificate is renewed, certmonger records message like the following to indicate that the renewal operation has succeeded or failed:
    Certificate named "NSS Certificate DB" in token "auditSigningCert cert-pki-ca" in database "/var/lib/pki-ca/alias" renew success
  • As the certificate nears its expiration, certmonger logs the following message:
    certmonger: Certificate named "NSS Certificate DB" in token "auditSigningCert cert-pki-ca" in database "/var/lib/pki-ca/alias" will not be valid after 20160204065136.

26.2.2. Renewing CA Certificates Manually

You can use the ipa-cacert-manage utility to manually renew:
  • self-signed IdM CA certificate
  • externally-signed IdM CA certificate
The certificates renewed with the ipa-cacert-manage renew command use the same key pair and subject name as the old certificates. Renewing a certificate does not remove its previous version to enable certificate rollover.
For details, see the ipa-cacert-manage(1) man page.

26.2.2.1. Renewing a Self-Signed IdM CA Certificate Manually

  1. Run the ipa-cacert-manage renew command. The command does not require you to specify the path to the certificate.
  2. The renewed certificate is now present in the LDAP certificate store and in the /etc/pki/pki-tomcat/alias NSS database.
  3. Run the ipa-certupdate utility on all servers and clients to update them with the information about the new certificate from LDAP. You must run ipa-certupdate on every server and client separately.

    Important

    Always run ipa-certupdate after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
To make sure the renewed certificate is properly installed, use the certutil utility to list the certificates in the database. For example:
# certutil -L -d /etc/pki/pki-tomcat/alias

26.2.2.2. Renewing an Externally-Signed IdM CA Certificate Manually

  1. Run the ipa-cacert-manage renew --external-ca command.
  2. The command creates the /var/lib/ipa/ca.crt CSR file. Submit the CSR to the external CA to get the renewed CA certificate issued.
  3. Run ipa-cacert-manage renew again, and this time specify the renewed CA certificate and the external CA certificate chain files using the --external-cert-file option. For example:
    # ipa-cacert-manage renew --external-cert-file=/tmp/servercert20110601.pem --external-cert-file=/tmp/cacert.pem
  4. The renewed CA certificate and the external CA certificate chain are now present in the LDAP certificate store and in the /etc/pki/pki-tomcat/alias/ NSS database.
  5. Run the ipa-certupdate utility on all servers and clients to update them with the information about the new certificate from LDAP. You must run ipa-certupdate on every server and client separately.

    Important

    Always run ipa-certupdate after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
To make sure the renewed certificate is properly installed, use the certutil utility to list the certificates in the database. For example:
# certutil -L -d /etc/pki/pki-tomcat/alias/