On 08/02/2017 03:27 PM, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
Problem: I have setup freeipa using a bad external CA.
Long story:
I have setup my freeipa servers using
ipa-server-install -n example.com -r EXAMPLE.COM --no-ntp --external-ca
--subject="O=example AG,C=DE" --setup-dns --forwarder=...
on ipa1.example.com. It created a csr, it was signed by the
external PKI, and then I re-run ipa-server-install
ipa-server-install -n example.com -r EXAMPLE.COM --subject="O=example AG,C=DE"
--external-cert-file=/root/ipa_ipa1.crt --external-cert-file=/root/root-ca.crt
--setup-dns --forwarder=...
Problem: The root-ca.crt is bad. It doesn't follow RFC5280. It
is not accepted by libressl, e.g. on OpenBSD. I have to replace
both ipa_ipa1.crt and root-ca.crt.
Of course I have found ipa-cacert-manage(1) and https://www.freeipa.org/\
page/V4/CA_certificate_renewal, but they don't really tell how to
proceed in this case. I don't want to renew, but to install a
new certificate chain.
The old csr file is still available.
I have 5 servers (Centos 7.3, freeipa 4.4.0) and >100 clients.
3 servers are CS replicas. The servers are not yet affected by
the bad root certificate, but it might be just a matter of time
til openssl follows RFC5280 more closely.
Every helpful comment is highly appreciated.
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi,
You can follow the steps described here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext
ipa-cacert-manage renew --external-ca will create a CSR file that can be
sent to the new certificate authority. You will then receive a new cert
for IPA + a new CA chain that will be used in ipa-cacert-manage renew
--external-cert-file.
HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org