On Thu, Jul 13, 2017 at 08:20:02AM -0400, Jeff Fouchard via FreeIPA-users wrote: > The certificates are being issued via ipa-getcert. The certificates we get > back are signed with what looks to be the old "self-signed" IPA CA > certificate. The CN is the same as the new one, but the serial / expiry > and issuer is different than what IPA is using for its own web-ui. > What procedure did you use to switch to an external CA?
> > > On Wed, Jul 12, 2017 at 8:23 PM, Jatin Nansi <jna...@redhat.com> wrote: > > > How are you issuing the certs for the clients? Are they signed by the same > > certificate chain that signed the IPA certificate? Did you install the CA > > certificate chain as trusted CA on the clients? > > > > On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users < > > freeipa-users@lists.fedorahosted.org> wrote: > > > >> We are in the process of switching to using an external CA. We have > >> successfully gone through he process and indeed the Web UI now shows the > >> expected certificate chain. > >> > >> However when we issue certificates to our clients downstream they are > >> using a signing certificate that was not issued by the new external CA. > >> I've tried to find in the documentation how that gets set, but seem to be > >> at a loss. Can anyone point me in the correct direction? > >> > >> Thanks! > >> Jeff > >> > >> > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to freeipa-users-le...@lists.fedo > >> rahosted.org > >> > >> > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org