Yes.  Yikes.  Karl, I already replied to your earlier thread, but
`ipa-cacert-renew` was not the right command to run.

On Wed, Jul 12, 2017 at 09:38:44AM +0000, Callum Guy via FreeIPA-users wrote:
> Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
> you have renewed the CA certificate which presumably would invalidate all
> existing certificates it has authorised.
No, it does not invalidate existing certs, unless you change the
key, CA name or (for an externally-signed CA) you chain the new CA
cert up to an untrusted superior CA.

BUT!  The notBefore time of the new CA cert will be the time of
issuance.  If you then wind the time back prior to this time, it
will mean that the service certificates are within the validity
period, but the certificate of the issuing CA is not (i.e. it is NOT
YET VALID).  This the service certs will not be accepted.

To recover from this situation you should reinstall the old CA
certificate via ipa-cacert-manage.  If you can't find a copy of that
lying around you should (for a self-signed IPA CA) be able to
retrieve it from LDAP under ou=certificateRepository,ou=ca,o=ipaca.
(Probably cn=1,ou=certificateRepository,ou=ca,o=ipaca but you should
check the subject and validity before installing it to make sure the
particulars are correct).  The attribution you want is


> From your description it sounded like you just wanted the CA to issue a new
> certificate for your IPA UI, this you can do via the interface.
> On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users <
>> wrote:
> > The problem is that the SSL certificate was not renewed by  the
> > "ipa-cacert-manage renew" command.
> > So the http server refuses to start.
> > Hence my question: what is the correct way to renew the SSL certificate ??
> >
> > Thanks.
> > _______________________________________________
> > FreeIPA-users mailing list --
> > To unsubscribe send an email to
> >
> -- 
> Callum Guy
> Head of Information Security
> X-on
> -- 
> *0333 332 0000  | <>  |   ** 
> <>   <> 
>   <> * 
> X-on is a trading name of Storacall Technology Ltd a limited company 
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the 
> addressee(s) only. If you are not the intended recipient, please notify 
> X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must not 
> use, disclose, disseminate, distribute, copy, print or reply to this email. 
> Views 
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its 
> associated companies. Although X-on routinely screens for viruses, 
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of 
> viruses in this email or any attachments.

> _______________________________________________
> FreeIPA-users mailing list --
> To unsubscribe send an email to
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to