Free IPA - Replacing expired 3rd party domain certificate

Question

I'm using FreeIPA version 4.5

My 3rd party domain certificate expired. Can I just copy the new crt & key files over the old ones (they have the same file names) and restart ipa?

Or do I need to use the ipa-server-certinstall command to install the new certificate?

Answer 1

The problem I ran into was that I could not start the ipa service because of an expired certificate. To get around this issue I completed the following steps:

• Changed the server date to a date prior to the cert expiration date by executing: date -s "1 FEB 2019 00:00:00"
• Started the ipa service by executing: systemctl start ipa
• Changed the server date back to the current date by executing: date -s "17 FEB 2019 11:45:00"

After completing those steps I was then able to execute:
ipa-server-certinstall -p DMPassword -w -d /etc/pki/private/mycert.pem /etc/pki/public/mycert.crt
where the mycert.pem & mycert.crt files are the new key and cert.

Finally I restarted the ipa service by executing: systemctl restart ipa

IPA is now running as expected with the new certificates.