On Fri, 9 Jun 2017, I wrote:

In short, that didn't go particularly well at all, which in some ways brings me back to the original as-yet-unanswered deployment question:

Is trying to do this with an external CA worth the pain?

Three attempts at this question, and zero answers...

Can I at least get a yes or no on whether external CA certificate renewal has ever been tested when that certificate is nearing expiration?

I just duplicated last week's result using an earlier snapshot of the same VM and a renewed CA cert with a 3-day validity. certmonger ignored every other cert that it already renewed once with the original CA; whole system is hosed after the original cert expires. It's probably possible to recover by manually replacing every certificate, but I haven't had time to try that.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to