Dealing with expiring IDM CA certificates on Red Hat Enterprise Linux 6 and 7

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (RHEL) 6, 7, 8
  • Red Hat Identity Management (IDM) originally installed on RHEL 6
  • IDM CA self-signed certificate expiring "soon" or already expired

Issue

While an IDM domain installed on RHEL 6.10 has a twenty year CA certificate lifetime, older RHEL 6 IDM set a Certificate Authority lifetime of eight years.
RHEL 6.0 was released in 2010 so some of the CA certificates of the first IDM installs are now set to expire in the coming years. Moreover, RHEL 6 Maintenance Phase 2 ends November 30, 2020. Migrating the IDM servers to RHEL7 must be done within that time frame too.
Clusters migrated from an older RHEL6 to RHEL7 or even RHEL8 will exhibit the same issue unless corrective action is taken.
The CA renewal and certificate renewal tooling shipped in RHEL 7.7 makes this easier.

Resolution

The following article is written from the point of view of a RHEL 6 IDM cluster with a soon-to-be-expiring or already expired self-signed CA certificate. If the cluster is currently running RHEL 7 or even RHEL 8, but was originally installed on RHEL 6 and has a self-signed CA certificate that would expire soon, the resolution below applies too.

Let's start with two servers: rhel6-ipa0 and rhel7-ipa1.
rhel6-ipa0 was installed using RHEL 6.3 on Jan 1 2012. An IDM domain myinfra.test was installed on that date. The host was subsequently updated to RHEL 6.10, then time was moved forward to 2019-11-2 in small increments, leaving time for certmonger to renew the service certificates. We are now reaching the end of the lifetime of the CA:

[root@rhel6-ipa0 ~]# date
Sat Nov  2 01:51:50 CET 2019

[root@rhel6-ipa0 ~]# openssl x509 -in /etc/ipa/ca.crt -noout -issuer -subject -serial -dates
issuer= /O=MYINFRA.TEST/CN=Certificate Authority
subject= /O=MYINFRA.TEST/CN=Certificate Authority
serial=01
notBefore=Dec 31 23:05:19 2011 GMT
notAfter=Dec 31 23:05:19 2019 GMT

All subsystem certificates share the same expiry date as the CA certificate now:

[root@rhel6-ipa0 ~]# getcert list | grep -E "certificate|status|expires|Request"
Number of certificates and requests being tracked: 8.
Request ID '20111231230610':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-MYINFRA-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2019-12-31 23:05:19 UTC
Request ID '20111231230628':
	status: MONITORING
certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2019-12-31 23:05:19 UTC
Request ID '20111231230641':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2019-12-31 23:05:19 UTC
Request ID '20120101230537':
	status: MONITORING
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2019-12-31 23:05:19 UTC
Request ID '20120101230538':
	status: MONITORING
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2019-12-31 23:05:19 UTC
Request ID '20120101230539':
	status: MONITORING
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2019-12-31 23:05:19 UTC
Request ID '20120101230540':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
	expires: 2019-12-31 23:05:19 UTC
Request ID '20120101230541':
	status: MONITORING
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	expires: 2019-12-31 23:05:19 UTC

This is our starting point. If your CA certificate is already expired, on the RHEL6 Content from frasertweedale.github.io is not included.current renewal master host:

  • Make sure neither ntpd nor chronyd are running,
  • Make sure none of the network interfaces use DHCP as even DHCP static leases would expire,
  • Go back in time to when the CA and the subsystem certs are all valid,
  • Then restart ipa with “ipactl restart”.

Let’s install our RHEL 7.7 host (rhel7-ipa1), configuring the network in static mode (do not use DHCP even with static leases) and using the “Infrastructure Server” base environment and “Identity Management Server” add-on in Software Selection.

Post-install:

  • Stop and disable the chronyd unit,
  • Install the bind-dyndb-ldap package,
  • Configure firewalld for an IDM server or stop and disable the unit.
  • Then go back in time to the time of the RHEL6 master within ~1s using “date”.

To prepare for migration, follow all the steps in the migrate-6-to-7 documentation. When at the ipa-replica-install step, use the setup CA and if necessary setup DNS options.
Remember to add -N to avoid setting up ntpd.

[root@rhel7-ipa1 ~]# ipa-replica-install /var/lib/ipa/replica-info-rhel7-ipa1.myinfra.test.gpg --setup-ca --ip-address 192.168.115.71 --setup-dns --forwarder 192.168.115.254 -N
Directory Manager (existing master) password: 

Checking DNS forwarders, please wait ...
(...)
Run connection check to master
admin@MYINFRA.TEST password: 
admin@MYINFRA.TEST@rhel6-ipa0.myinfra.test's password: 
admin@MYINFRA.TEST@rhel6-ipa0.myinfra.test's password: 
Connection check OK
Adding [192.168.115.71 rhel7-ipa1.myinfra.test] to your /etc/hosts file
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/41]: creating directory server instance
  [2/41]: enabling ldapi
(...)
Client configuration complete.
The ipa-client-install command was successful

Update the system configuration (DNS1 in /etc/sysconfig/network/ifcfg-eth0) and /etc/resolv.conf to point at 127.0.0.1.

Then, in the same document, follow the "8.2.4 Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server" procedure, starting with:

# ipa-csreplica-manage list
Directory Manager password: 
rhel6-ipa0.myinfra.test: master
rhel7-ipa1.myinfra.test: master

Or as an alternative, firewall off, or shutdown, all remaining RHEL6 servers if you have the chance, then delete the replication agreement. For the record, I chose to power down rhel6-ipa0 first and then delete the replication agreement, but in real infrastructures, firewalling might be better if the existing clients still rely on the current master(s) for DNS and other domain services.

To delete the replication agreement:

[root@rhel7-ipa1 ~]# ipa-replica-manage del --force rhel6-ipa0.myinfra.test

Now set the RHEL7.7 host as the renewal and CRL generation master:

[root@rhel7-ipa1 ~]# kinit admin
Password for admin@MYINFRA.TEST: 
[root@rhel7-ipa1 ~]# ipa config-mod --ca-renewal-master-server rhel7-ipa1.myinfra.test
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: myinfra.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=MYINFRA.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  IPA masters: rhel7-ipa1.myinfra.test
  IPA CA servers: rhel7-ipa1.myinfra.test
  IPA CA renewal master: rhel7-ipa1.myinfra.test
  IPA DNS servers: rhel7-ipa1.myinfra.test

[root@rhel7-ipa1 ~]# ipa-crlgen-manage status
CRL generation: disabled
The ipa-crlgen-manage command was successful

[root@rhel7-ipa1 ~]# ipa-crlgen-manage enable
Stopping pki-tomcatd
Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
Starting pki-tomcatd
Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
Restarting httpd
Forcing CRL update
CRL generation enabled on the local host. Please make sure to have only a single CRL generation master.
The ipa-crlgen-manage command was successful

Now renew the CA certificate:

[root@rhel7-ipa1 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

And use "getcert list" to list all tracked certificates. If some are in the CA_UNREACHABLE state, use "getcert resubmit -i " to resubmit them. The end result:

[root@rhel7-ipa1 ~]# getcert list |grep -E "certificate|status|expires|Request"
Number of certificates and requests being tracked: 9.
Request ID '20191102004729':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-MYINFRA-TEST',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2021-11-02 03:31:11 UTC
Request ID '20191102004740':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	expires: 2021-11-02 03:31:40 UTC
Request ID '20191102004948':
	status: MONITORING
	certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
	expires: 2021-10-22 02:30:46 UTC
Request ID '20191102005018':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-10-22 02:30:39 UTC
Request ID '20191102005019':
status: MONITORING
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-10-22 02:29:58 UTC
Request ID '20191102005020':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-10-22 02:29:31 UTC
Request ID '20191102005021':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	expires: 2039-11-02 03:26:14 UTC
Request ID '20191102005022':
	status: MONITORING
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	expires: 2021-10-22 02:27:47 UTC
Request ID '20191102005105':
	status: MONITORING
	certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
	expires: 2020-11-02 00:51:06 UTC
	certificate template/profile: KDCs_PKINIT_Certs

Now update the certificates on the server.

[root@rhel7-ipa1 ~]# ipa-certupdate
trying https://rhel7-ipa1.myinfra.test/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://rhel7-ipa1.myinfra.test/ipa/json'
trying https://rhel7-ipa1.myinfra.test/ipa/session/json
[try 1]: Forwarding 'ca_is_enabled/1' to json server 'https://rhel7-ipa1.myinfra.test/ipa/session/json'
[try 1]: Forwarding 'ca_find/1' to json server 'https://rhel7-ipa1.myinfra.test/ipa/session/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

The ca.crt file contains two blobs now:

[root@rhel7-ipa1 html]# cat /etc/ipa/ca.crt
-----BEGIN CERTIFICATE-----
MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxNWUlO
RlJBLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMTEy
MzEyMzA1MTlaFw0xOTEyMzEyMzA1MTlaMDcxFTATBgNVBAoTDE1ZSU5GUkEuVEVT
VDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAvEtto7Qgf1RCdeBONfAyRQqzlU5OC8KVb0rGAlWx
6M1RjwiNPui6ZfQ0SADDbLoJb564oqd2vPS5ojr0GCCxalRRrRWwGplPxcvaZCJ6
8ghoXm8rtOiBKBqixcfx0S8xvIiiwZ21S+dwrcZxq4pFF9D9dbpXLk9JRy16rmL5
KWHosLW9XlFBG2rBDYFZh5ZiIVOBh4J9+FlHKQdd8N/xS1qZPT2BzW4QmqnYD6Az
gzYRx8sijcHvl5G7qBU1t3Yqwyl8UP6SC3fmrEJH8Drsv+QiX8wHRstD2EVzZXQe
HvE7ZPDX80TAqAUgwdim07ezD7HaSWpXkzySQicqPbgSBQIDAQABo4GrMIGoMB8G
A1UdIwQYMBaAFNdYcH98WkiST5ae5DW9rxQQKYIEMA8GA1UdEwEB/wQFMAMBAf8w
DgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBTXWHB/fFpIkk+WnuQ1va8UECmCBDBF
BggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGGKWh0dHA6Ly9yaGVsNi1pcGEwLm15
aW5mcmEudGVzdDo4MC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQAf+9myZRfD
7DHw3BGek2ByN40UG01hD3UL2q2DIknJRyAdeZXIdr4DHmM8I7aTtziMSqUiHHST
NOpnkUHIE5oM+Nzfpanz+gU1gMOzaupC1NwBT0M+RaNbEfl73GYjRuU7Zo/PdAkL
JW+GesV6LOwXrqQ+sIWXy/PcMeOClQMZIdpwbTsdodyFyyBq6cUaJ63/5rbB1FkE
aK2CxzyMZ/mewMl0mLGp1qwlG4mfi+VU9cXRRPcy9lcNWPDIUhqmX4/cNA97rclx
POI7567YxU09+lFDYGQyUElrQqtkTPfzTWtXXPhaHqUDOZ75pXTK7ovDXahZabrf
/QQzM1oP+yqP
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIED/8AATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxN
WUlORlJBLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x
OTExMDIwMzI2MTRaFw0zOTExMDIwMzI2MTRaMDcxFTATBgNVBAoTDE1ZSU5GUkEu
VEVTVDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvEtto7Qgf1RCdeBONfAyRQqzlU5OC8KVb0rG
AlWx6M1RjwiNPui6ZfQ0SADDbLoJb564oqd2vPS5ojr0GCCxalRRrRWwGplPxcva
ZCJ68ghoXm8rtOiBKBqixcfx0S8xvIiiwZ21S+dwrcZxq4pFF9D9dbpXLk9JRy16
rmL5KWHosLW9XlFBG2rBDYFZh5ZiIVOBh4J9+FlHKQdd8N/xS1qZPT2BzW4QmqnY
D6AzgzYRx8sijcHvl5G7qBU1t3Yqwyl8UP6SC3fmrEJH8Drsv+QiX8wHRstD2EVz
ZXQeHvE7ZPDX80TAqAUgwdim07ezD7HaSWpXkzySQicqPbgSBQIDAQABo4GkMIGh
MB8GA1UdIwQYMBaAFNdYcH98WkiST5ae5DW9rxQQKYIEMB0GA1UdDgQWBBTXWHB/
fFpIkk+WnuQ1va8UECmCBDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
xjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EubXlp
bmZyYS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBABBdtFemAAM0iVJl
AowD9/37aRvBpZgJAQR+Ktug722hppj0yo/YoFbva1e7L3vvkve5XdOftMDNI1if
0CyCeu80HjPRMdfoZOwA6EER2Z9EvDsLED5lNCXSIJSLLfcEoFy+xmhV4x4NCrWm
FVyNDOkUvh2ongGZr33+d7w7czc+P1NahurdFLWIc95wVBkBYdGrcbpgmgcQZTFo
ChS4FZvf9HgI4iD2MCqG1r96YAVqT8h0tpikJLFLMdDDakRBNydtY+nJ7466mS6a
3n45vFvQasOZ1CZnWgsKkr1VS/DKoddblJKLA+M+3PSYr94gyGpKgdu3zTyHU433
HBrtsOE=
-----END CERTIFICATE-----

Cutting the file in two, and verifying the second blob:

# openssl x509 -in ca2.crt -noout -issuer -subject -serial -dates
issuer= /O=MYINFRA.TEST/CN=Certificate Authority
subject= /O=MYINFRA.TEST/CN=Certificate Authority
serial=0FFF0001
notBefore=Nov  2 03:26:14 2019 GMT
notAfter=Nov  2 03:26:14 2039 GMT

This file is generated from the two cACertificate attributes that are present in LDAP. Unfortunately, some tools cannot parse such a file properly. The expired certificates must be removed or placed at the end of the file. For more details, see the Content from pagure.io is not included.upstream discussion.
To search for the two cACertificates attributes, build an LDAP request like this:

LDAPTLS_REQCERT=never ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,$BASEDN

So let’s see:

[root@rhel7-ipa1 ~]# kinit admin
[root@rhel7-ipa1 ~]# LDAPTLS_REQCERT=never ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,dc=myinfra,dc=test
(...)
# MYINFRA.TEST IPA CA, certificates, ipa, etc, myinfra.test
dn: cn=MYINFRA.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=myinfra,dc=test
(...)
cACertificate;binary:: MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQ
(...)
 hZabrf/QQzM1oP+yqP
cACertificate;binary:: MIIDkTCCAnmgAwIBAgIED/8AATANBgkqhkiG9w0BAQsFADA3MRUwEwY
(...)
 yHU433HBrtsOE=
(...)

The two cACertificate attributes match the two CA certificates we found in ca.crt.
We need to remove the older, expired LDAP certificate from the tree and launch ipa-certupdate again. Going back to when we split the ca.crt in two, the bottom part of it being the right ca.crt:

[root@rhel7-ipa1 tmp]# openssl x509 -in ca.crt -noout -issuer -subject -serial -dates
issuer= /O=MYINFRA.TEST/CN=Certificate Authority
subject= /O=MYINFRA.TEST/CN=Certificate Authority
serial=0FFF0001
notBefore=Nov  2 03:26:14 2019 GMT
notAfter=Nov  2 03:26:14 2039 GMT
[root@rhel7-ipa1 tmp]# cat ca.crt 
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIED/8AATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQKEwxN
WUlORlJBLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0x
OTExMDIwMzI2MTRaFw0zOTExMDIwMzI2MTRaMDcxFTATBgNVBAoTDE1ZSU5GUkEu
VEVTVDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvEtto7Qgf1RCdeBONfAyRQqzlU5OC8KVb0rG
AlWx6M1RjwiNPui6ZfQ0SADDbLoJb564oqd2vPS5ojr0GCCxalRRrRWwGplPxcva
ZCJ68ghoXm8rtOiBKBqixcfx0S8xvIiiwZ21S+dwrcZxq4pFF9D9dbpXLk9JRy16
rmL5KWHosLW9XlFBG2rBDYFZh5ZiIVOBh4J9+FlHKQdd8N/xS1qZPT2BzW4QmqnY
D6AzgzYRx8sijcHvl5G7qBU1t3Yqwyl8UP6SC3fmrEJH8Drsv+QiX8wHRstD2EVz
ZXQeHvE7ZPDX80TAqAUgwdim07ezD7HaSWpXkzySQicqPbgSBQIDAQABo4GkMIGh
MB8GA1UdIwQYMBaAFNdYcH98WkiST5ae5DW9rxQQKYIEMB0GA1UdDgQWBBTXWHB/
fFpIkk+WnuQ1va8UECmCBDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
xjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9pcGEtY2EubXlp
bmZyYS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBABBdtFemAAM0iVJl
AowD9/37aRvBpZgJAQR+Ktug722hppj0yo/YoFbva1e7L3vvkve5XdOftMDNI1if
0CyCeu80HjPRMdfoZOwA6EER2Z9EvDsLED5lNCXSIJSLLfcEoFy+xmhV4x4NCrWm
FVyNDOkUvh2ongGZr33+d7w7czc+P1NahurdFLWIc95wVBkBYdGrcbpgmgcQZTFo
ChS4FZvf9HgI4iD2MCqG1r96YAVqT8h0tpikJLFLMdDDakRBNydtY+nJ7466mS6a
3n45vFvQasOZ1CZnWgsKkr1VS/DKoddblJKLA+M+3PSYr94gyGpKgdu3zTyHU433
HBrtsOE=
-----END CERTIFICATE-----

This is the right CA certificate to keep. We will therefore remove the other one.
First, make a backup of /etc/ipa/ca.crt (into /root/backup/ for instance, not in any temporary directory). Then, we will use ldapmodify using an LDIF file.

Here is my LDIF:

[root@rhel7-ipa1 ~]# cat delete.ldif 
dn: cn=MYINFRA.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=myinfra,dc=test
changetype: modify
delete: cACertificate;binary
cACertificate;binary:: MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA3MRUwEwYDVQQ
(...)
 hZabrf/QQzM1oP+yqP

Double-check that this certificate is the right one to delete, e.g. it is the one that expired in 2019, certainly not the current one.
Then, launch the ldap operation:

[root@rhel7-ipa1 ~]# LDAPTLS_REQCERT=never ldapmodify -x -D 'cn=directory manager' -W < delete.ldif

Check that there is only a single attribute now:

[root@rhel7-ipa1 ~]# ldapsearch -Y GSSAPI -b cn=certificates,cn=ipa,cn=etc,dc=myinfra,dc=test
(...)
# MYINFRA.TEST IPA CA, certificates, ipa, etc, myinfra.test
dn: cn=MYINFRA.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=myinfra,dc=test
(...)
cACertificate;binary:: MIIDkTCCAnmgAwIBAgIED/8AATANBgkqhkiG9w0BAQsFADA3MRUwEwY
 (...)
 yHU433HBrtsOE=
(...)

Now update the local certificates:

[root@rhel7-ipa1 ~]# ipa-certupdate

Check (with cat) that /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt contain a single entry.
Then we will check that openssl finds the right certificate: 

[root@rhel7-ipa1 ~]# openssl x509 -in /etc/ipa/ca.crt -noout -issuer -subject -serial -dates
issuer= /O=MYINFRA.TEST/CN=Certificate Authority
subject= /O=MYINFRA.TEST/CN=Certificate Authority
serial=0FFF0001
notBefore=Nov  2 03:26:14 2019 GMT
notAfter=Nov  2 03:26:14 2039 GMT

[root@rhel7-ipa1 ~]# openssl x509 -in /usr/share/ipa/html/ca.crt -noout -issuer -subject -serial -dates
issuer= /O=MYINFRA.TEST/CN=Certificate Authority
subject= /O=MYINFRA.TEST/CN=Certificate Authority
serial=0FFF0001
notBefore=Nov  2 03:26:14 2019 GMT
notAfter=Nov  2 03:26:14 2039 GMT

All good, let’s start and enable chrony:

[root@rhel7-ipa1 html]# systemctl enable chronyd
[root@rhel7-ipa1 html]# systemctl start chronyd
(...)
[root@rhel7-ipa1 html]# chronyc sources
210 Number of sources = 4
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^- ntp.fnutt.net                 2   6    17     3   +183us[ +828us] +/-   63ms
^* ns3003772.ip-37-59-47.eu      2   6    17     3    +48us[ +692us] +/-   15ms
^- mail.mcwinter.org             2   6    17     3  -1202us[-1202us] +/-   34ms
^- ns.rail.eu.org                2   6    17     3    +78us[ +723us] +/-   51ms

[root@rhel7-ipa1 html]# date
Tue Mar 10 15:31:24 CET 2020

Since we now have a RHEL7.7-based IDM domain, let's upgrade the domain level. The new replica workflow enables deploying replicas without a pre-generated replica file.

[root@rhel7-ipa1 html]# ipa domainlevel-get
-----------------------
Current domain level: 0
-----------------------
[root@rhel7-ipa1 html]#  ipa domainlevel-set 1
-----------------------
Current domain level: 1
-----------------------

Red Hat recommends having at least two CA replicas and you might want to have at least two DNS server instances as well, so the next step is to re-deploy proper replicas which can now be installed using the domain level1 procedure.

Once you’ve deployed enough replicas, clients can be updated to use these hosts for DNS and other domain services. Once a client’s resolv.conf points to these new hosts, update their copy of ca.crt by running ipa-certupdate.

That’s it, the RHEL6 IDM domain was migrated to RHEL7 and the CA certificate now expires in 2039.

Root Cause

Red Hat Identify Management as shipped in early Red Hat Enterprise Linux 6 versions capped the CA certificate lifetime at eight years by default. Newer installs have a twenty-year lifetime for the CA certificate.

Diagnostic Steps

# openssl x509 -in /etc/ipa/ca.crt -noout -issuer -subject -serial -dates

shows CA certificates expiring soon.

SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.