Installing a new SSL server certificate for the Apache Web Server, the Directory Server, or both replaces the current SSL certificate with a new one. To do this, you need:
For a list of accepted formats of the key and certificate, see the ipa-server-certinstall(1) man page.
certificate must be signed by a CA known by the service you are loading the certificate into. If this is not the case, install the CA certificate of the CA that signed
into IdM, as described in Section 26.3, “Installing a CA Certificate Manually”
This ensures that IdM recognizes the CA, and thus accepts
Installing the Third-Party Certificate
ipa-server-certinstall utility to install the certificate. Specify where you want to install it:
For example, to install the SSL certificate into both:
# ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
Restart the server into which you installed the certificate.
To restart the Apache Web Server:
# systemctl restart httpd.service
To restart the Directory Server:
# systemctl restart dirsrv@REALM.service
To verify that the certificate has been correctly installed, make sure it is present in the certificate database.
To display the Apache certificate database:
# certutil -L -d /etc/httpd/alias
To display the Directory Server certificate database:
# certutil -L -d /etc/dirsrv/slapd-REALM/