For IPA v4.6.x.
So you have an IPA installation with a CA and you decided you don’t want your users to have to install the IPA CA certificate(s) so instead you want to use certificates for the Web and LDAP using some known 3rd party issuer. Sure, that works fine. You’d do something like:
Install the 3rd party CA chain and update your IPA master:
# ipa-cacert-manage install /path/to/root.pem -t CT,, # ipa-cacert-manage install intermediate.cert.pem -t CT,, # ipa-certupdate
Install the 3rd-party provided server certificate. In this case I have it as two separate files, the public cert and the private key.
# ipa-server-certinstall --dirman-password password -w -d --pin '' server.cert.pem server.cert.key root.pem \ intermediate.cert.pem
Great. IPA is working fine and my users don’t need to import the IPA CA.
Two years later…
My 3rd party certs are expiring soon and I don’t want to pay for new ones and I want to switch back to using IPA-issued certificates. We can use certmonger for that. This assumes that your CA is still up and functioning properly.
I’d start by backing up the two NSS databases. It is safest to do this offline (ipactl stop). You need to copy *.db from /etc/dirsrv/slapd-EXAMPLE-TEST and /etc/httpd/alias someplace safe, then restart the world (ipactl start).
First the web server:
# ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/`hostname` -D `hostname` -C /usr/libexec/ipa/certmonger/restart_httpd -p /etc/httpd/alias/pwdfile.txt
Edit /etc/httpd/conf.d/nss.conf and replace the value of NSSNickname with Server-Cert.
Wait a bit to be sure the cert is issued. You can run this to see the status:
# ipa-getcert list -d /etc/httpd/alias -n Server-Cert
Now the LDAP server:
# ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-TEST -n Server-Cert -D `hostname` -K ldap/`hostname` -C "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-TEST" -p /etc/dirsrv/slapd-EXAMPLE-TEST/pwdfile.txt
Similarly wait for it to be issued. To track the status:
# ipa-getcert list -d /etc/dirsrv/slapd-EXAMPLE-TEST -n Server-Cert
Once it is issued run:
# ipactl stop
Now edit /etc/dirsrv/slapd-EXAMPLE-TEST/dse.ldif. We could do this while the server is online but we need to restart anyway and your favorite editor is easier than ldapmodify. Replace the value of nsSSLPersonalitySSL with Server-Cert
Now restart the world:
# ipactl start
Connect to each port if you want to confirm that the certificate and chain are correct, e.g.
# openssl s_client -host `hostname` -port 443 CONNECTED(00000003) depth=1 O = EXAMPLE.TEST, CN = Certificate Authority verify return:1 depth=0 O = EXAMPLE.TEST, CN = ipa.example.test verify return:1 --- Certificate chain 0 s:/O=EXAMPLE.TEST/CN=ipa.example.test i:/O=EXAMPLE.TEST/CN=Certificate Authority 1 s:/O=EXAMPLE.TEST/CN=Certificate Authority i:/O=EXAMPLE.TEST/CN=Certificate Authority --- ...