From Mageia wiki
Jump to: navigation, search

Updating expired certificates

On mageia infrastructure, we have 2 types of certificates :

- self signed certificate, for internal usage
- user facing external website, where we use 

Certificate are managed by puppet.

checking expiration date of a certificate

   # openssl x509 -in /etc/ssl/openldap/ldap.mageia.org.pem -text -noout | grep -A2 Validity
       Validity
           Not Before: Oct 21 07:37:31 2016 GMT
           Not After : Oct 21 07:37:31 2017 GMT

self signed certificate

If a certificate is expired, the easiest ( provided that's not the wildcard certificate, see later for this one ) is to erase the file ( for example, in /etc/ssl/apache/$VHOST.pem ) and to run puppetd again :

   # rm /etc/ssl/apache/forums.mageia.org.pem
   # puppetd --test
   # /etc/init.d/httpd restart 

Restarting the affected service is needed, or the old certificate would still be used.

openldap certificate

If the certificate is expired this will prevent puppet from fixing it, so you need to manually create it:

   # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/openldap/ldap.mageia.org.pem -out /etc/ssl/openldap/ldap.mageia.org.pem -subj '/CN=ldap.mageia.org'


Wild card certificate

TODO