John Stokes via FreeIPA-users wrote: > Hi all, > > I have a question regarding renewal of certificates issued to http services. > I read somewhere that these certificates are automatically renewed but could > not find any more details. > My deployment is a standard one and I'm using the caIPAserviceCert profile. > > Can anyone shed some light on the process of renewals of certificates issued > to servers? If the renewal is automatic where will the new cert (I suppose > key file will be the same) be stored and when is the renewal being done (how > many days before it expires)?
Renewal is handled by the certmonger daemon. You can check the certs it is tracking using: # getcert list By default the certs will attempt to be renewed starting at 28 days prior to expiration. The CA subsystem certificates (ocsp, audit, RA agent, etc) are shared among the CAs. Because of this only one IPA master controls the renewal of those certs. You can see which master this is via: ipa config-show and looking at the 'IPA CA renewal master' value. By default this is the first master installed. Once this renewal master renews the certificates it drops a copy into LDAP. The other masters will pick up the renewed certs from there. The HTTP, LDAP and PKINIT certs are renewed individually on each master. rog _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
