Hi Flo,

On Thu, 10 Aug 2017 17:21:19 +0200
Florence Blanc-Renaud <f...@redhat.com> wrote:

> On 08/10/2017 04:47 PM, Harald Dunkel wrote:
> > Hi folks,
> > 
> > On Wed, 2 Aug 2017 16:24:00 +0200
> > Florence Blanc-Renaud <f...@redhat.com> wrote:
> >   
> >> Hi,
> >>
> >> You can follow the steps described here:
> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext
> >>
> >> ipa-cacert-manage renew --external-ca will create a CSR file that can be
> >> sent to the new certificate authority. You will then receive a new cert
> >> for IPA + a new CA chain that will be used in ipa-cacert-manage renew
> >> --external-cert-file.
> >>
> >> HTH,
> >> Flo  
> > 
> > The renewal seems to have succeeded. I see both old and new
> > certificate in /etc/pki/pki-tomcat/alias or /etc/ipa/nssdb .
> > /etc/ipa/ca.crt contains the new root certificate as well.
> > 
> > Problem: If I access the ipa admin web interface
> > 
> >     https://ipa1.example.com/
> > 
> > then it still uses the old certificate chain. Question is:
> > How can I tell freeipa to stop using the old certificate?
> > 
> > 
> > Every helpful comment is highly appreciated
> > Harri
> >   
> 
> Hi,
> 
> (I am putting the list back in copy of the mail thread)
> 

Sorry, wrong reply button.

> The command 'ipa-cacert-manage renew' updates IPA CA certificate but 
> does not trigger a renewal of all the certificates that were delivered 
> by your previous IPA CA. Those certificates are still valid and can be 
> used by HTTPd for instance. This is why you still see the previous cert 
> chain when you connect to the web GUI.
> 
> When the certificates reach their expiration date, they will 
> automatically be renewed, i.e. replaced by new ones signed by the new 
> IPA CA. If you want to renew them in advance, you can use the tool 
> ipa-getcert resubmit.
> 

Thanx very much for your help on this issue.

ipa-getcert resubmit seems to work, but I wonder if there is a way
to blacklist the old CA at a central location, making all the certmongers 
running somewhere out there to refresh all their monitored certificates 
asap?


Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to