updating/renewing CA and server cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

The SSL Howto on the wiki doesn't really cover a procedure for what to do
when your root CA has to be renewed, along with your server certs.

I have 3 servers whose server certs are all signed with our own root CA, but
that root CA is expiring, and needs to be replaced. Presumably this means I
also need to replace the server certs, since they were signed with this
expiring root CA.

What I was able to do was just blow away /opt/fedora-ds/alias/*.db, and then
run:

###### CREATE NEW *.db FILES ########
/opt/fedora-ds/share/bin/certutil -N -d /opt/fedora-ds/alias -P slapd-ldap-

###### INSTALL NEW ROOT CA ########
/opt/fedora-ds/share/bin/certutil -A -n "My Dept. Root CA" -P slapd-ldap- -d
/opt/fedora-ds/alias -t "CT,," -a -i ./cacert.pem

###### CREATE NEW SERVER CERT REQUEST #######
/opt/fedora-ds/share/bin/certutil -R -d /opt/fedora-ds/alias -a -P
slapd-ldap- -s "cn=ldap.my-domain.com" -o /tmp/csr.der.txt -g 1024

###### SIGN THE NEW SERVER CERT REQUEST ########
openssl ca -config openssl.cnf -policy policy_anything -out
certs/ldapcert.pem -infiles csr.der.txt

###### INSTALL NEW SERVER CERT #########
/opt/fedora-ds/shared/bin/certutil -A -d /opt/fedora-ds/alias -n
"ldap-server-cert" -P slapd-ldap- -t u,u,u -a -i
/opt/fedora-ds/alias/ldapcert.pem

At this point, my server starts up just fine and all appears to be well, but
it doesn't seem like it should be absolutely necessary to start over from
scratch on each server when our root CA expires. Can someone detail a
shorter method to replace expired root CAs *and* server certificates?

thanks.
brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060612/0f08cd1a/attachment.html 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux