Menu Close

Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 66. Replacing the web server and LDAP server certificates

As an Identity Management (IdM) system administrator, you can manually replace the certificates for the web (or httpd) and LDAP (or Directory) services running on an IdM server. For example, this might be necessary if the certmonger utility is not configured to renew the certificates automatically, or if the certificates are signed by an external certificate authority (CA).

The example installs the certificates for the services running on the server.idm.example.com IdM server. You obtain the certificates from an external CA.

Note

The HTTP and LDAP service certificates have different keypairs and subject names on different IdM servers and so you must renew the certificates on each IdM server individually.

Prerequisites

  • You have root access to the IdM server.
  • You know the Directory Manager password.
  • You have access to a file storing the CA certificate chain of the external CA, ca_certificate_chain_file.crt.

Procedure

  1. Install the certificates contained in ca_certificate_chain_file.crt as additional CA certificates to IdM:

    # ipa-cacert-manage install
  2. Update the local IdM certificate databases with certificates from ca_certicate_chain_file.crt:

    # ipa-certupdate
  3. Generate a private key and a certificate signing request (CSR) using the OpenSSL utility:

    $ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:ipa-ca.idm.example.test" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'

    Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA. After the CA signs the certificate, import the certificate to the IdM server.

  4. On the IdM server, replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate:

    # ipa-server-certinstall -w --pin=password new.key new.crt

    In the command above:

    • The -w option specifies that you are installing a certificate into the web server.
    • The --pin option specifies the password protecting the private key.
  5. When prompted, enter the Directory Manager password.
  6. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate:

    # ipa-server-certinstall -d --pin=password new.key new.cert

    In the command above:

    • The -d option specifies that you are installing a certificate into the LDAP server.
    • The --pin option specifies the password protecting the private key.
  7. When prompted, enter the Directory Manager password.
  8. Restart the httpd service:

    # systemctl restart httpd.service
  9. Restart the Directory service:

    # systemctl restart dirsrv@IDM.EXAMPLE.COM.service

Additional resources