26.2. Renewing Certificates

For details on:

automatic certificate renewal, see Section 26.2.1, “Renewing Certificates Automatically”
manual certificate renewal, see Section 26.2.2, “Renewing CA Certificates Manually”

26.2.1. Renewing Certificates Automatically

The certmonger service automatically renews the following certificates 28 days before their expiration date:

CA certificate issued by the IdM CA as the root CA
Subsystem and server certificates issued by the integrated IdM CA that are used by internal IdM services

To automatically renew sub-CA CA certificates, they must be listed on the certmonger tracking list. To update the tracking list:

[root@ipaserver ~]# ipa-certupdate
trying https://idmserver.idm.example.com/ipa/json
Forwarding 'schema' to json server 'https://idmserver.idm.example.com/ipa/json'
trying https://idmserver.idm.example.com/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://idmserver.idm.example.com/ipa/json'
Forwarding 'ca_find/1' to json server 'https://idmserver.idm.example.com/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

Note

If you are using an external CA as the root CA, you must renew the certificates manually, as described in Section 26.2.2, “Renewing CA Certificates Manually”. The certmonger service cannot automatically renew certificates signed by an external CA.

For more information on how certmonger monitors certificate expiration dates, see Tracking Certificates with certmonger in the System-Level Authentication Guide.

To verify that automatic renewal works as expected, examine certmonger log messages in the /var/log/messages file:

After a certificate is renewed, certmonger records message like the following to indicate that the renewal operation has succeeded or failed:
```
Certificate named "NSS Certificate DB" in token "auditSigningCert cert-pki-ca" in database "/var/lib/pki-ca/alias" renew success
```

As the certificate nears its expiration, certmonger logs the following message:

certmonger: Certificate named "NSS Certificate DB" in token "auditSigningCert cert-pki-ca" in database "/var/lib/pki-ca/alias" will not be valid after 20160204065136.

26.2.2. Renewing CA Certificates Manually

You can use the ipa-cacert-manage utility to manually renew:

self-signed IdM CA certificate
externally-signed IdM CA certificate

The certificates renewed with the ipa-cacert-manage renew command use the same key pair and subject name as the old certificates. Renewing a certificate does not remove its previous version to enable certificate rollover.

For details, see the ipa-cacert-manage(1) man page.

26.2.2.1. Renewing a Self-Signed IdM CA Certificate Manually

Run the ipa-cacert-manage renew command. The command does not require you to specify the path to the certificate.
The renewed certificate is now present in the LDAP certificate store and in the /etc/pki/pki-tomcat/alias NSS database.
Run the ipa-certupdate utility on all servers and clients to update them with the information about the new certificate from LDAP. You must run ipa-certupdate on every server and client separately.
Important
Always run ipa-certupdate after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.

To make sure the renewed certificate is properly installed, use the certutil utility to list the certificates in the database. For example:

# certutil -L -d /etc/pki/pki-tomcat/alias

26.2.2.2. Renewing an Externally-Signed IdM CA Certificate Manually

Run the ipa-cacert-manage renew --external-ca command.
The command creates the /var/lib/ipa/ca.crt CSR file. Submit the CSR to the external CA to get the renewed CA certificate issued.
Run ipa-cacert-manage renew again, and this time specify the renewed CA certificate and the external CA certificate chain files using the --external-cert-file option. For example:
```
# ipa-cacert-manage renew --external-cert-file=/tmp/servercert20110601.pem --external-cert-file=/tmp/cacert.pem
```
The renewed CA certificate and the external CA certificate chain are now present in the LDAP certificate store and in the /etc/pki/pki-tomcat/alias/ NSS database.
Run the ipa-certupdate utility on all servers and clients to update them with the information about the new certificate from LDAP. You must run ipa-certupdate on every server and client separately.
Important
Always run ipa-certupdate after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.

To make sure the renewed certificate is properly installed, use the certutil utility to list the certificates in the database. For example:

# certutil -L -d /etc/pki/pki-tomcat/alias/

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

26.2. Renewing Certificates

26.2.1. Renewing Certificates Automatically

26.2.2. Renewing CA Certificates Manually

26.2.2.1. Renewing a Self-Signed IdM CA Certificate Manually

26.2.2.2. Renewing an Externally-Signed IdM CA Certificate Manually

Where did the comment section go?