Chapter 14. Replacing the web server and LDAP server certificates if they have not yet expired on an IdM replica

As an Identity Management (IdM) system administrator, you can manually replace the certificates for the web (or httpd) and LDAP (or Directory) services running on an IdM server. For example, this might be necessary if the certificates are nearing expiration and if the certmonger utility is either not configured to renew the certificates automatically or if the certificates are signed by an external certificate authority (CA).

The example installs the certificates for the services running on the server.idm.example.com IdM server. You obtain the certificates from an external CA.

Note

The HTTP and LDAP service certificates have different keypairs and subject names on different IdM servers and so you must renew the certificates on each IdM server individually.

Prerequisites

  • On at least one other IdM replica in the topology with which the IdM server has a replication agreement, the web and LDAP certificates are still valid. This is a prerequisite for the ipa-server-certinstall command. The command requires a TLS connection to communicate with other IdM replicas. However, with invalid certificates, such a connection could not be established, and the ipa-server-certinstall command would fail. In that case, see Replacing the web server and LDAP server certificates if they have expired in the whole IdM deployment.
  • You have root access to the IdM server.
  • You know the Directory Manager password.
  • You have access to a file storing the CA certificate chain of the external CA, ca_certificate_chain_file.crt.

Procedure

  1. Install the certificates contained in ca_certificate_chain_file.crt as additional CA certificates to IdM: 

    # ipa-cacert-manage install

  2. Update the local IdM certificate databases with certificates from ca_certicate_chain_file.crt: 

    # ipa-certupdate

  3. Generate a private key and a certificate signing request (CSR) using the OpenSSL utility: 

    $ openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout new.key -out new.csr -addext "subjectAltName = DNS:server.idm.example.com" -subj '/CN=server.idm.example.com,O=IDM.EXAMPLE.COM'

    Submit the CSR to the external CA. The process differs depending on the service to be used as the external CA. After the CA signs the certificate, import the certificate to the IdM server.

  4. On the IdM server, replace the Apache web server’s old private key and certificate with the new key and the newly-signed certificate: 

    # ipa-server-certinstall -w --pin=password new.key new.crt

    In the command above:

    • The -w option specifies that you are installing a certificate into the web server.
    • The --pin option specifies the password protecting the private key.
  5. When prompted, enter the Directory Manager password.

  6. Replace the LDAP server’s old private key and certificate with the new key and the newly-signed certificate: 

    # ipa-server-certinstall -d --pin=password new.key new.cert

    In the command above:

    • The -d option specifies that you are installing a certificate into the LDAP server.
    • The --pin option specifies the password protecting the private key.
  7. When prompted, enter the Directory Manager password.

  8. Restart the httpd service: 

    # systemctl restart httpd.service

  9. Restart the Directory service: 

    # systemctl restart dirsrv@IDM.EXAMPLE.COM.service

  10. If a subCA has been removed or replaced on the servers, update the clients: 

    # ipa-certupdate

Additional resources