Jump to: navigation, search

Using 3rd part certificates for HTTP/LDAP

The following command will allow you to use a 3rd party certificate after initially deploying the FreeIPA system. You will need the following files:

  • mysite.key (your private SSL key)
  • mysite.crt (your SSL certificate)


Procedure in current IPA

Prerequisite

The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. If it is not the case, you can use the commands ipa-cacert-manage install and ipa-certupdate to load the CA's certificate prior to installing the new certificate.

# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate

Configuration of the 3rd part certificate

You can install the new bundle using:

# ipa-server-certinstall -w -d mysite.key mysite.crt

Then restart your daemons:

# systemctl restart httpd.service
# systemctl restart dirsrv@MY-REALM.service

Procedure in IPA < 4.1

Prerequisite

The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. If it is not the case, you need to add the 3rd part CA (and its chain if it is a sub-CA) to the NSS databases used by FreeIPA. For instance, if the chain contains a CA (whose certificate is /root/ca1.crt) and a subCA (whose certificate is /root/ca2.crt), run the following procedure on the master:

  • Add the CA and subCA certs to /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt
# cat /root/ca1.crt /root/ca2.crt >> /etc/ipa/ca.crt
# cp /etc/ipa/ca.crt /usr/share/ipa/html/ca.crt
  • Add the CA and subCA certs to the system DB
# certutil -A -d /etc/pki/nssdb/ -n 'EXT-CA1' -t CT,C,C -a -i /root/ca1.crt
# certutil -A -d /etc/pki/nssdb/ -n 'EXT-CA2' -t CT,C,C -a -i /root/ca2.crt
  • Add the CA and subCA certs to HTTP DB
# certutil -A -d /etc/httpd/alias/ -n 'EXT-CA1' -t CT,C,C -a -i /root/ca1.crt
# certutil -A -d /etc/httpd/alias/ -n 'EXT-CA2' -t CT,C,C -a -i /root/ca2.crt
  • Add the CA and subCA certs to DS main instance DB
# certutil -A -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n 'EXT-CA1' -t CT,C,C -a -i /root/ca1.crt
# certutil -A -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n 'EXT-CA2' -t CT,C,C -a -i /root/ca2.crt
  • Add the CA and subCA certs to DS PKI instance DB
# certutil -A -d /etc/dirsrv/slapd-PKI-IPA/ -n 'EXT-CA1' -t CT,C,C -a -i /root/ca1.crt
# certutil -A -d /etc/dirsrv/slapd-PKI-IPA/ -n 'EXT-CA2' -t CT,C,C -a -i /root/ca2.crt
  • Add the CA and subCA certs to PKI instance DB
# certutil -A -d  /var/lib/pki-ca/alias/ -n 'EXT-CA1' -t CT,C,C -a -i /root/ca1.crt
# certutil -A -d  /var/lib/pki-ca/alias/ -n 'EXT-CA2' -t CT,C,C -a -i /root/ca2.crt
  • Check that the trust flags are correct or fix them if needed in /etc/http/alias and /etc/dirsrv/slapd-EXAMPLE-COM:
# certutil -M -d /etc/httpd/alias/ -t CT,C,C -n $ca1alias
# certutil -M -d /etc/httpd/alias/ -t CT,C,C -n $ca2alias
# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n $ca1alias -t CT,C,C
# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n $ca2alias -t CT,C,C
  • restart the services
# ipactl restart

Note: the same procedure must be run on the replicas.

On the clients, you need to run only the following:

# cat /root/ca1.crt /root/ca2.crt >> /etc/ipa/ca.crt
# certutil -A -d /etc/pki/nssdb/ -n 'EXT-CA1' -t CT,C,C -a -i /root/ca1.crt
# certutil -A -d /etc/pki/nssdb/ -n 'EXT-CA2' -t CT,C,C -a -i /root/ca2.crt

Configuration of the 3rd part certificate

First we want to create a new PKCS12 archive containing the aforementioned certificates:

# openssl pkcs12 -export -chain -CAfile /etc/ipa/ca.crt -in mysite.crt -inkey mysite.key -name MyIPA -out newcert.pk12 -passout pass:some_secret_password

Once this command has completed, you can install the new bundle using:

# ipa-server-certinstall -w --http_pin=some_secret_password newcert.pk12 
# ipa-server-certinstall -d --dirsrv_pin=some_secret_password newcert.pk12

Then restart your daemons:

# systemctl restart httpd.service
# systemctl restart dirsrv@MY-REALM.service