Menu Close

15.7. 使 certmonger 恢复跟踪 CA 副本中的 IdM 证书

此流程演示,在证书跟踪被中断后,如何使 certmonger 恢复对带有集成证书颁发机构的 IdM 部署很重要的 Identity Management(IdM)系统证书的跟踪。IdM 主机在续订系统证书的过程中无法从 IdM 取消注册,或者复制拓扑无法正常工作。此流程还演示,如何使 certmonger 恢复对 IdM 服务证书(即 HTTPLDAPPKINIT 证书)的跟踪。

先决条件

  • 要恢复跟踪系统证书的主机是一个 IdM 服务器,它也是 IdM 证书颁发机构(CA),而不是 IdM CA 续订服务器。

步骤

  1. 获取 subsystem CA 证书的 PIN:

    # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
  2. 在子系统 CA 证书中添加跟踪,使用上一步中获取的 PIN 替换下面的命令中的 [internal PIN]

    # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert -T caCACert "caSigningCert cert-pki-ca"'
    
    # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert -T caSignedLogCert "auditSigningCert cert-pki-ca"'
    
    # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert -T caOCSPCert "ocspSigningCert cert-pki-ca"'
    
    # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert -T caSubsystemCert "subsystemCert cert-pki-ca"'
    
    # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P [internal PIN] -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert -T caServerCert "Server-Cert cert-pki-ca"'
  3. 为剩余的 IdM 证书(HTTPLDAPIPA 续订代理PKINIT 证书)添加跟踪:

    # getcert start-tracking -f /var/lib/ipa/certs/httpd.crt -k /var/lib/ipa/private/httpd.key -p /var/lib/ipa/passwds/idm.example.com-443-RSA -c IPA -C /usr/libexec/ipa/certmonger/restart_httpd -T caIPAserviceCert
    
    # getcert start-tracking -d /etc/dirsrv/slapd-IDM-EXAMPLE-COM -n "Server-Cert" -c IPA -p /etc/dirsrv/slapd-IDM-EXAMPLE-COM/pwdfile.txt -C '/usr/libexec/ipa/certmonger/restart_dirsrv -T caIPAserviceCert "IDM-EXAMPLE-COM"'
    
    # getcert start-tracking -f /var/lib/ipa/ra-agent.pem -k /var/lib/ipa/ra-agent.key -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/renew_ra_cert_pre -C /usr/libexec/ipa/certmonger/renew_ra_cert -T caSubsystemCert
    
    # getcert start-tracking -f /var/kerberos/krb5kdc/kdc.crt -k /var/kerberos/krb5kdc/kdc.key -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/renew_ra_cert_pre -C /usr/libexec/ipa/certmonger/renew_kdc_cert -T KDCs_PKINIT_Certs
  4. 重启 certmonger

    # systemctl restart certmonger
  5. certmonger 启动后等待一分钟,然后检查新证书的状态:

    # getcert list

其他资源

  • 如果您的 IdM 系统证书已全部过期,请参阅 这个以知识为中心的支持(KCS)解决方案,来手动更新 IdM CA 服务器上的 IdM 系统证书,该服务器也是 CA 续订服务器和 CRL 发布者服务器。然后,请按照 此 KCS 解决方案中描述的步骤手动在拓扑中的所有其它 CA 服务器中续订 IdM 系统证书。