The certificates are being issued via ipa-getcert.  The certificates we get
back are signed with what looks to be the old "self-signed" IPA CA
certificate.  The CN is the same as the new one, but the serial / expiry
and issuer is different than what IPA is using for its own web-ui.



On Wed, Jul 12, 2017 at 8:23 PM, Jatin Nansi <jna...@redhat.com> wrote:

> How are you issuing the certs for the clients? Are they signed by the same
> certificate chain that signed the IPA certificate? Did you install the CA
> certificate chain as trusted CA on the clients?
>
> On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> We are in the process of switching to using an external CA. We have
>> successfully gone through he process and indeed the Web UI now shows the
>> expected certificate chain.
>>
>> However when we issue certificates to our clients downstream they are
>> using a signing certificate that was not issued by the new external CA.
>> I've tried to find in the documentation how that gets set, but seem to be
>> at a loss. Can anyone point me in the correct direction?
>>
>> Thanks!
>> Jeff
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to