Hi folks,

Problem: I have setup freeipa using a bad external CA.

Long story:
I have setup my freeipa servers using 

ipa-server-install -n example.com -r EXAMPLE.COM --no-ntp --external-ca 
--subject="O=example AG,C=DE" --setup-dns --forwarder=...

on ipa1.example.com. It created a csr, it was signed by the
external PKI, and then I re-run ipa-server-install

ipa-server-install -n example.com -r EXAMPLE.COM --subject="O=example AG,C=DE" 
--external-cert-file=/root/ipa_ipa1.crt --external-cert-file=/root/root-ca.crt 
--setup-dns --forwarder=...

Problem: The root-ca.crt is bad. It doesn't follow RFC5280. It
is not accepted by libressl, e.g. on OpenBSD. I have to replace 
both ipa_ipa1.crt and root-ca.crt.

Of course I have found ipa-cacert-manage(1) and https://www.freeipa.org/\
page/V4/CA_certificate_renewal, but they don't really tell how to 
proceed in this case. I don't want to renew, but to install a
new certificate chain.

The old csr file is still available. 

I have 5 servers (Centos 7.3, freeipa 4.4.0) and >100 clients. 
3 servers are CS replicas. The servers are not yet affected by 
the bad root certificate, but it might be just a matter of time 
til openssl follows RFC5280 more closely.

Every helpful comment is highly appreciated.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to