Certmonger tracking requests for IdM internal certificates in RHEL 7
Tracking requests for IdM internal certificates
The certmonger utility can monitor the expiration date of a certificate and automatically renew the certificate at the end of its validity period. For IdM internal certificates those tracking requests are created automatically but in some rare cases it might be necessary to re-create those requests manually.
NOTE: The exact filenames and helper scripts to be used in the tracking requests are different between the various releases of Red Hat Enterprise Linux (RHEL). The examples below are all based on a RHEL 7.9 setup. A list for older versions is available on the following page: This content is not included.This content is not included.https://people.redhat.com/tscherf/certmonger/certmonger-tracking-requests.txt
For certmonger requests in RHEL 6 please refer to this article.
For certmonger requests in RHEL 8 please refer to the official RHEL 8 documentation.
For certmonger requests in RHEL 9 please refer to the official RHEL 9 documentation.
IMPORTANT: More detailed instructions how to manually renew IdM internal certificates are available on the following page: How do I manually renew Identity Management (IPA) certificates on RHEL7 after they have expired? (Master IPA Server)
PKI Certificates
First we need to obtain the internal PIN to access the PKI NSS database (used in the below getcert start-tracking commands) and put it into an environmental variable:
# export NSSDB_PIN=$(sed -n 's/^internal=//p' /var/lib/pki/pki-tomcat/conf/password.conf)
Next create the missing tracking requests for the corresponding certificates:
CA signing certificate
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -c 'dogtag-ipa-ca-renew-agent' -P $NSSDB_PIN -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"'
Audit certificate
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P $NSSDB_PIN -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"'
OSCP certificate
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P $NSSDB_PIN -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"'
Subsystem certificate
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P $NSSDB_PIN -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"'
Tomcat servlet certificate
# getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P $NSSDB_PIN -B /usr/libexec/ipa/certmonger/stop_pkicad -C '/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca”'
IPA certificates
All the other IPA certificates are located outside of /etc/pki/pki-tomcat/alias NSSDB, so we need to add their tracking separately:
RA certificate
# getcert start-tracking -f /var/lib/ipa/ra-agent.pem -k /var/lib/ipa/ra-agent.key -c dogtag-ipa-ca-renew-agent -B /usr/libexec/ipa/certmonger/renew_ra_cert_pre -C /usr/libexec/ipa/certmonger/renew_ra_cert
KDC certificate
# getcert start-tracking -f /var/kerberos/krb5kdc/kdc.crt -k /var/kerberos/krb5kdc/kdc.key -c IPA -C /usr/libexec/ipa/certmonger/renew_kdc_cert
LDAP server certificate
# getcert start-tracking -d /etc/dirsrv/slapd-<instance> -n Server-Cert -c IPA -p /etc/dirsrv/slapd-<instance>/pwdfile.txt -C "/usr/libexec/ipa/certmonger/restart_dirsrv <instance>"
HTTPD server certificate
If HTTPD certificate is still in NSSDB in /etc/httpd/alias, please use:
# getcert start-tracking -d /etc/httpd/alias -n Server-Cert -c IPA -p /etc/httpd/alias/pwdfile.txt -C /usr/libexec/ipa/certmonger/restart_httpd
Otherwise, the correct request would be:
# getcert start-tracking -f /var/lib/ipa/certs/httpd.crt -k /var/lib/ipa/private/httpd.key -c IPA -C /usr/libexec/ipa/certmonger/restart_httpd