On 08/10/2017 04:47 PM, Harald Dunkel wrote:
On Wed, 2 Aug 2017 16:24:00 +0200
Florence Blanc-Renaud <f...@redhat.com> wrote:
You can follow the steps described here:
ipa-cacert-manage renew --external-ca will create a CSR file that can be
sent to the new certificate authority. You will then receive a new cert
for IPA + a new CA chain that will be used in ipa-cacert-manage renew
The renewal seems to have succeeded. I see both old and new
certificate in /etc/pki/pki-tomcat/alias or /etc/ipa/nssdb .
/etc/ipa/ca.crt contains the new root certificate as well.
Problem: If I access the ipa admin web interface
then it still uses the old certificate chain. Question is:
How can I tell freeipa to stop using the old certificate?
Every helpful comment is highly appreciated
(I am putting the list back in copy of the mail thread)
The command 'ipa-cacert-manage renew' updates IPA CA certificate but
does not trigger a renewal of all the certificates that were delivered
by your previous IPA CA. Those certificates are still valid and can be
used by HTTPd for instance. This is why you still see the previous cert
chain when you connect to the web GUI.
When the certificates reach their expiration date, they will
automatically be renewed, i.e. replaced by new ones signed by the new
IPA CA. If you want to renew them in advance, you can use the tool
Note that there are a few issues with SElinux in enforcing mode, so I
would advise to make a backup of your NSS databases before renewing the
certs (for instance the httpd cert is stored in /etc/httpd/alias).
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org