On Thu, 25 May 2017, Fraser Tweedale wrote:

This is not correct.  The CA cert must be valid for the leaf cert to
be valid, but the CA cert *can* be renewed without requiring leaf
certificates to be reissued.  So long as the following conditions
are met, everything will be fine:

1. The CA's key (and Subject Key Identifier) do not change
2. The CA's Subject DN does not change
3. The new CA certificate gets distributed to clients.

Huh? The CA cert's validity wasn't in question -- it was still valid, and was used to issue a slew of new certificates, all of which expire in two weeks, at expiration of the original CA cert. It has since been renewed, but that doesn't change the state of any of the leaf certs issued in the interim. Also not sure what the list of conditions has to do with anything, when it's up to "ipa-cacert-manage renew" to get those right.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to