On 08/10/2017 04:47 PM, Harald Dunkel wrote:
Hi folks,

On Wed, 2 Aug 2017 16:24:00 +0200
Florence Blanc-Renaud <f...@redhat.com> wrote:


You can follow the steps described here:

ipa-cacert-manage renew --external-ca will create a CSR file that can be
sent to the new certificate authority. You will then receive a new cert
for IPA + a new CA chain that will be used in ipa-cacert-manage renew


The renewal seems to have succeeded. I see both old and new
certificate in /etc/pki/pki-tomcat/alias or /etc/ipa/nssdb .
/etc/ipa/ca.crt contains the new root certificate as well.

Problem: If I access the ipa admin web interface


then it still uses the old certificate chain. Question is:
How can I tell freeipa to stop using the old certificate?

Every helpful comment is highly appreciated


(I am putting the list back in copy of the mail thread)

The command 'ipa-cacert-manage renew' updates IPA CA certificate but does not trigger a renewal of all the certificates that were delivered by your previous IPA CA. Those certificates are still valid and can be used by HTTPd for instance. This is why you still see the previous cert chain when you connect to the web GUI.

When the certificates reach their expiration date, they will automatically be renewed, i.e. replaced by new ones signed by the new IPA CA. If you want to renew them in advance, you can use the tool ipa-getcert resubmit.

Note that there are a few issues with SElinux in enforcing mode, so I would advise to make a backup of your NSS databases before renewing the certs (for instance the httpd cert is stored in /etc/httpd/alias).

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to