Skip to content

Renewing System Certificates

Jump to bottom
Endi S. Dewata edited this page Jan 24, 2025 · 7 revisions

Overview

The ipa-cert-fix is a tool that can be used to restore an IPA server that fails to start due to expired system certificates in PKI.

IPA uses LDAPI to communicate to DS for the following reasons:

  • DS certificate may be expired.

  • We need to set/reset password for some accounts using ldappasswd which need confidentiality. Therefore we cannot use LDAPS/STARTTLS.

Renewing System Certificates using ipa-cert-fix

To renew the certs on the main server:

$ ipa-cert-fix

To renew the certs on the clone:

$ ipactl restart --force
$ ipa-cert-fix

Renewing System Certificates using pki-server cert-fix

Internally, the ipa-cert-fix calls pki-server cert-fix to perform the actual renewal. If necessary, the pki-server cert-fix can be called directly.

Prerequisite

  • Valid CA certificate

  • cert-fix must be run as root

  • The password of the specified agent account will be reset. If needed, it can be changed back afterwards (manually; successful execution of cert-fix proves that the operator has privileges to do this)

  • The password of the pkidbuser account will be reset

Renewal Process

Determine the serial number of the IPA RA, DS LDAP and HTTPD certificates.

# keytool -printcert -file /var/lib/ipa/ra-agent.pem
# certutil -L -n Server-Cert -d /etc/dirsrv/slapd-REALM
# keytool -printcert -file /var/lib/ipa/certs/httpd.crt

Ensure DS is running.

# systemctl status dirsrv@REALM

Run the following command providing all the certs that needs to be renewed. Command should complete without error.

# pki-server cert-fix \
    --ldapi-socket /var/run/slapd-REALM.socket \
    --agent-uid admin \
    --cert sslserver \
    --cert subsystem \
    --cert ca_ocsp_signing \
    --cert ca_audit_signing \
    --extra-cert $IPA_RA_SERIAL \
    --extra-cert $DS_SERIAL \
    --extra-cert $HTTPD_SERIAL

Verify that there is no internaldb field in /var/lib/pki/pki-tomcat/conf/password.conf.

Verify that CS.cfg has internaldb.ldapauth.authtype=SslClientAuth.

Copy /var/lib/pki/pki-tomcat/conf/certs/$IPA_RA_SERIAL-renewed.crt to /var/lib/ipa/ra-agent.pem.

Remove old DS cert and import DS renewed cert into DS NSSDB and provide the pin from /etc/dirsrv/slapd-REALM/pin.txt.

# certutil -D -n Server-Cert \
    -d /etc/dirsrv/slapd-REALM/

# certutil -A -n Server-Cert \
    -d /etc/dirsrv/slapd-REALM/ \
    -t ',,' \
    -a -i /var/lib/pki/pki-tomcat/conf/certs/${DS_SERIAL}-renewed.crt

Copy /var/lib/pki/pki-tomcat/conf/certs/$HTTPD_SERIAL to /var/lib/ipa/certs/httpd.crt.

ipactl restart should succeed.

Verify that PKI operations succeed.

# pki -U https://<host>:8443 ca-cert-find

See Also

Clone this wiki locally