26.6. Installing Third-Party Certificates for HTTP or LDAP

Installing a new SSL server certificate for the Apache Web Server, the Directory Server, or both replaces the current SSL certificate with a new one. To do this, you need:
  • your private SSL key (ssl.key in the procedure below)
  • your SSL certificate (ssl.crt in the procedure below)
For a list of accepted formats of the key and certificate, see the ipa-server-certinstall(1) man page.

Prerequisites

The ssl.crt certificate must be signed by a CA known by the service you are loading the certificate into. If this is not the case, install the CA certificate of the CA that signed ssl.crt into IdM, as described in Section 26.3, “Installing a CA Certificate Manually”.
This ensures that IdM recognizes the CA, and thus accepts ssl.crt.

Installing the Third-Party Certificate

  1. Use the ipa-server-certinstall utility to install the certificate. Specify where you want to install it:
    • --http installs the certificate in the Apache Web Server
    • --dirsrv installs the certificate on the Directory Server
    For example, to install the SSL certificate into both: 
    # ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
  2. Restart the server into which you installed the certificate.
    • To restart the Apache Web Server: 
      # systemctl restart httpd.service
    • To restart the Directory Server: 
      # systemctl restart dirsrv@REALM.service
  3. To verify that the certificate has been correctly installed, make sure it is present in the certificate database.
    • To display the Apache certificate database: 
      # certutil -L -d /etc/httpd/alias
    • To display the Directory Server certificate database: 
      # certutil -L -d /etc/dirsrv/slapd-REALM/