Menu Close
Red Hat Training
A Red Hat training course is available for RHEL 8
Chapter 65. Renewing expired system certificates when IdM is offline
If a system certificate has expired, Identity Management (IdM) fails to start. IdM supports renewing system certificates even in this situation by using the ipa-cert-fix
tool.
Prerequisites
- IdM is installed only on Red Hat Enterprise Linux 8.1 or later.
-
Ensure that the LDAP service is running by entering the
ipactl start --ignore-service-failures
command on the host.
65.1. Renewing expired system certificates on a CA renewal server
This section describes how to apply the ipa-cert-fix
tool on expired IdM certificates.
If you run the ipa-cert-fix
tool on a CA (Certificate Authority) host that is not the CA renewal server, and the utility renews shared certificates, that host automatically becomes the new CA renewal server in the domain. There must always be only one CA renewal server in the domain to avoid inconsistencies.
Prerequisites
- Log in to the server with administration rights
Procedure
Start the
ipa-cert-fix
tool to analyze the system and list expired certificates that require renewal:# ipa-cert-fix ... The following certificates will be renewed: Dogtag sslserver certificate: Subject: CN=ca1.example.com,O=EXAMPLE.COM 201905222205 Serial: 13 Expires: 2019-05-12 05:55:47 ... Enter "yes" to proceed:
Enter
yes
to start the renewal process:Enter "yes" to proceed: yes Proceeding. Renewed Dogtag sslserver certificate: Subject: CN=ca1.example.com,O=EXAMPLE.COM 201905222205 Serial: 268369925 Expires: 2021-08-14 02:19:33 ... Becoming renewal master. The ipa-cert-fix command was successful
It can take up to one minute before
ipa-cert-fix
renews all expired certificates.Optionally, verify that all services are now running:
# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
At this point, certificates have been renewed and services are running. The next step is to check other servers in the IdM domain.
If you need to repair certificates across multiple CA servers:
-
After ensuring that LDAP replication is working across the topology, first run
ipa-cert-fix
on one CA server, according to the above procedure. -
Before you run
ipa-cert-fix
on another CA server, trigger Certmonger renewals for shared certificates viagetcert-resubmit
(on the other CA server), to avoid unnecessary renewal of shared certificates.
65.2. Verifying other IdM servers in the IdM domain after renewal
After the renewing the CA renewal server’s certificates with the ipa-cert-fix
tool, you must:
- Restart all other Identity Management (IdM) servers in the domain.
- Check if certmonger renewed certificates.
-
If there are other Certificate Authority (CA) replicas with expired system certificates, renew those certificates with the
ipa-cert-fix
tool as well.
Prerequisites
- Log in to the server with administration rights.
Procedure
Restart IdM with the
--force
parameter:# ipactl restart --force
With the
--force
parameter, theipactl
utility ignores individual service startup failures. For example, if the server is also a CA with expired certificates, thepki-tomcat
service fails to start. This is expected and ignored because of using the--force
parameter.After the restart, verify that the
certmonger
service renewed the certificates (certificate status says MONITORING):# getcert list | egrep '^Request|status:|subject:' Request ID '20190522120745': status: MONITORING subject: CN=IPA RA,O=EXAMPLE.COM 201905222205 Request ID '20190522120834': status: MONITORING subject: CN=Certificate Authority,O=EXAMPLE.COM 201905222205 ...
It can take some time before
certmonger
renews the shared certificates on the replica.If the server is also a CA, the previous command reports
CA_UNREACHABLE
for the certificate thepki-tomcat
service uses:Request ID '20190522120835': status: CA_UNREACHABLE subject: CN=ca2.example.com,O=EXAMPLE.COM 201905222205 ...
To renew this certificate, use the
ipa-cert-fix
utility:# ipa-cert-fix Dogtag sslserver certificate: Subject: CN=ca2.example.com,O=EXAMPLE.COM Serial: 3 Expires: 2019-05-11 12:07:11 Enter "yes" to proceed: yes Proceeding. Renewed Dogtag sslserver certificate: Subject: CN=ca2.example.com,O=EXAMPLE.COM 201905222205 Serial: 15 Expires: 2019-08-14 04:25:05 The ipa-cert-fix command was successful
Now, all IdM certificates have been renewed and work correctly.
65.3. Replacing the web server and LDAP server certificates
As an Identity Management (IdM) system administrator, you can manually replace the certificates for the web (or httpd
) and LDAP (or Directory
) services running on an IdM server. For example, this might be necessary if the certmonger
utility is not configured to renew the certificates automatically, or if the certificates are signed by an external certificate authority (CA).
The example installs the certificates for the services running on the server.idm.example.com IdM server. You obtain the certificates from an external CA.
The HTTP and LDAP service certificates have different keypairs and subject names on different IdM servers and so you must renew the certificates on each IdM server individually.
Prerequisites
-
You have
root
access to the IdM server. -
You know the
Directory Manager
password. - You have access to a file storing the CA certificate chain of the external CA, ca_certificate_chain_file.crt.
Procedure
Install the certificates contained in ca_certificate_chain_file.crt as additional CA certificates to IdM:
# ipa-cacert-manage install
Update the local IdM certificate databases with certificates from ca_certicate_chain_file.crt:
# ipa-certupdate
Generate a private key and a certificate signing request (CSR) using the
OpenSSL
utility:$ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:ipa-ca.idm.example.test" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'
Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA. After the CA signs the certificate, import the certificate to the IdM server.
On the IdM server, replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate:
# ipa-server-certinstall -w --pin=password new.key new.crt
In the command above:
-
The
-w
option specifies that you are installing a certificate into the web server. -
The
--pin
option specifies the password protecting the private key.
-
The
-
When prompted, enter the
Directory Manager
password. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate:
# ipa-server-certinstall -d --pin=password new.key new.cert
In the command above:
-
The
-d
option specifies that you are installing a certificate into the LDAP server. -
The
--pin
option specifies the password protecting the private key.
-
The
-
When prompted, enter the
Directory Manager
password. Restart the
httpd
service:# systemctl restart httpd.service
Restart the
Directory
service:# systemctl restart dirsrv@IDM.EXAMPLE.COM.service
Additional resources
- Converting certificate formats to work with IdM
-
The
ipa-server-certinstall(1)
man page