On Thu, May 25, 2017 at 10:59:11AM -0400, Rob Foehl via FreeIPA-users wrote:
> On Thu, 25 May 2017, Fraser Tweedale wrote:
> 
> > This is not correct.  The CA cert must be valid for the leaf cert to
> > be valid, but the CA cert *can* be renewed without requiring leaf
> > certificates to be reissued.  So long as the following conditions
> > are met, everything will be fine:
> > 
> > 1. The CA's key (and Subject Key Identifier) do not change
> > 2. The CA's Subject DN does not change
> > 3. The new CA certificate gets distributed to clients.
> 
> Huh?  The CA cert's validity wasn't in question -- it was still valid, and
> was used to issue a slew of new certificates, all of which expire in two
> weeks, at expiration of the original CA cert.  It has since been renewed,
> but that doesn't change the state of any of the leaf certs issued in the
> interim.  Also not sure what the list of conditions has to do with anything,
> when it's up to "ipa-cacert-manage renew" to get those right.
> 
> -Rob
>
What is the validity of the leaf certificates?  Is the notAfter time
of the leaf certificate pegged to the notAfter time of the CA
certificate?  If so, this is (IMO) a bug.

Thanks,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to