Hi Flo,

On Wed, 2 Aug 2017 16:24:00 +0200
Florence Blanc-Renaud <f...@redhat.com> wrote:

> Hi,
> You can follow the steps described here: 
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext
> ipa-cacert-manage renew --external-ca will create a CSR file that can be 
> sent to the new certificate authority. You will then receive a new cert 
> for IPA + a new CA chain that will be used in ipa-cacert-manage renew 
> --external-cert-file.
> HTH,
> Flo

This appears to be a very precise documentation, but if you look 
closely then you get

# ssh root@ipaclient1
# ipa-certupdate 
trying https://ipa2.example.com/ipa/json
Forwarding 'schema' to json server 'https://ipa2.example.com/ipa/json'
trying https://ipa2.example.com/ipa/json
Forwarding 'ca_is_enabled' to json server 'https://ipa2.example.com/ipa/json'
Forwarding 'ca_find/1' to json server 'https://ipa2.example.com/ipa/json'
Systemwide CA database updated.
The ipa-certupdate command was successful

# certutil -L -d /etc/pki/pki-tomcat/alias/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
database is in an old, unsupported format.

This is *before* I installed the new certificate. I get this with
freeipa 4.4.0 on CentOS 7.3 and 4.4.4 on Debian.

Doesn't look very reliable, does it? Thats my concern. Not to 
mention that /etc/pki/pki-tomcat/alias doesn't even exist, so 
I wonder what did ipa-certupdate do?


Every helpful comment is highly appreciated.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to