The certificates are being issued via ipa-getcert.  The certificates we get
back are signed with what looks to be the old "self-signed" IPA CA
certificate.  The CN is the same as the new one, but the serial / expiry
and issuer is different than what IPA is using for its own web-ui.

On Wed, Jul 12, 2017 at 8:23 PM, Jatin Nansi <> wrote:

> How are you issuing the certs for the clients? Are they signed by the same
> certificate chain that signed the IPA certificate? Did you install the CA
> certificate chain as trusted CA on the clients?
> On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users <
>> wrote:
>> We are in the process of switching to using an external CA. We have
>> successfully gone through he process and indeed the Web UI now shows the
>> expected certificate chain.
>> However when we issue certificates to our clients downstream they are
>> using a signing certificate that was not issued by the new external CA.
>> I've tried to find in the documentation how that gets set, but seem to be
>> at a loss. Can anyone point me in the correct direction?
>> Thanks!
>> Jeff
>> _______________________________________________
>> FreeIPA-users mailing list --
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to