How to add third party certificates for HTTP/LDAP in IPA

Resolution

1. You will need the following files:

   mysite.key (your private SSL key)
   mysite.crt (your SSL certificate)
   ca.pem (CA certificate that signed your SSL cert)
   

2. Before the SSL certificates are installed, the CA cert(chain) must be installed:

   Run the ipa-cacert-manage install command, and specify the path to the file containing the certificate. The command accepts PEM-formatted certificate files:

   # ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.pem
   

   Do this for each CA in the chain, if they are not bundled together.

   The certificate(s) is/are now present in the LDAP certificate store.

3. Once the CA certificate(s) has/have been installed, make it/them available in all the right places:

   Run the ipa-certupdate utility on all servers and clients to update them with the information about the new certificate from LDAP. You must run ipa-certupdate on every server and client separately

   # ipa-certupdate
   

   Note Always run ipa-certupdate after manually installing a new certificate. If you do not, the certificate will not be distributed to the other machines.

4. Install the third party SSL certs:

   # ipa-server-certinstall -w -d mysite.key mysite.crt
   

   Note

   -w --http installs the certificate for the HTTP server
   -d --dirsrv installs the certificate for the LDAP server

5. Restart the HTTPD and LDAP services:

   # systemctl restart httpd.service
   # systemctl restart dirsrv@REALM.service
   

6. Check to make sure the certificates were installed correctly:

   Red Hat Enterprise Linux 7:

   # certutil -L -d /etc/httpd/alias
   # certutil -L -d /etc/dirsrv/slapd-INSTANCE
   

   Red Hat Enterprise Linux 8+:

   # certutil -L -d /etc/dirsrv/slapd-INSTANCE
   # openssl x509 -in  /var/lib/ipa/certs/httpd.crt  -noout -text
   

7. Verify the certficates:

   # openssl verify -show_chain /var/lib/ipa/certs/httpd.crt
   # certutil -O -d /etc/dirsrv/slapd-IDM-EXAMPLE-TEST/ -n Server-Cert