The SSL Howto on the wiki doesn't really cover a procedure for what to do when your root CA has to be renewed, along with your server certs.
I have 3 servers whose server certs are all signed with our own root CA, but that root CA is expiring, and needs to be replaced. Presumably this means I also need to replace the server certs, since they were signed with this expiring root CA.
What I was able to do was just blow away /opt/fedora-ds/alias/*.db, and then run:
###### CREATE NEW *.db FILES ########
/opt/fedora-ds/share/bin/certutil -N -d /opt/fedora-ds/alias -P slapd-ldap-
###### INSTALL NEW ROOT CA ########
/opt/fedora-ds/share/bin/certutil -A -n "My Dept. Root CA" -P slapd-ldap- -d /opt/fedora-ds/alias -t "CT,," -a -i ./cacert.pem
###### CREATE NEW SERVER CERT REQUEST #######
/opt/fedora-ds/share/bin/certutil -R -d /opt/fedora-ds/alias -a -P slapd-ldap- -s "cn=ldap.my-domain.com" -o /tmp/csr.der.txt -g 1024
###### SIGN THE NEW SERVER CERT REQUEST ########
openssl ca -config openssl.cnf -policy policy_anything -out certs/ldapcert.pem -infiles csr.der.txt
###### INSTALL NEW SERVER CERT #########
/opt/fedora-ds/shared/bin/certutil -A -d /opt/fedora-ds/alias -n "ldap-server-cert" -P slapd-ldap- -t u,u,u -a -i /opt/fedora-ds/alias/ldapcert.pem
At this point, my server starts up just fine and all appears to be well, but it doesn't seem like it should be absolutely necessary to start over from scratch on each server when our root CA expires. Can someone detail a shorter method to replace expired root CAs *and* server certificates?
thanks.
brian.
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
