[Freeipa-users] Re: howto replace an externally signed CA

Wed, 02 Aug 2017 07:25:46 -0700 

On 08/02/2017 03:27 PM, Harald Dunkel via FreeIPA-users wrote:

Hi folks,

Problem: I have setup freeipa using a bad external CA.

Long story:
I have setup my freeipa servers using

ipa-server-install -n example.com -r EXAMPLE.COM --no-ntp --external-ca 
--subject="O=example AG,C=DE" --setup-dns --forwarder=...

on ipa1.example.com. It created a csr, it was signed by the
external PKI, and then I re-run ipa-server-install

ipa-server-install -n example.com -r EXAMPLE.COM --subject="O=example AG,C=DE" 
--external-cert-file=/root/ipa_ipa1.crt --external-cert-file=/root/root-ca.crt 
--setup-dns --forwarder=...


Problem: The root-ca.crt is bad. It doesn't follow RFC5280. It
is not accepted by libressl, e.g. on OpenBSD. I have to replace
both ipa_ipa1.crt and root-ca.crt.

Of course I have found ipa-cacert-manage(1) and https://www.freeipa.org/\
page/V4/CA_certificate_renewal, but they don't really tell how to
proceed in this case. I don't want to renew, but to install a
new certificate chain.

The old csr file is still available.


I have 5 servers (Centos 7.3, freeipa 4.4.0) and >100 clients.
3 servers are CS replicas. The servers are not yet affected by
the bad root certificate, but it might be just a matter of time
til openssl follows RFC5280 more closely.


Every helpful comment is highly appreciated.

Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,
You can follow the steps described here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext
ipa-cacert-manage renew --external-ca will create a CSR file that can be sent to the new certificate authority. You will then receive a new cert for IPA + a new CA chain that will be used in ipa-cacert-manage renew --external-cert-file. 

HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to