On 08/11/2017 09:04 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On Thu, 10 Aug 2017 17:21:19 +0200
Florence Blanc-Renaud <f...@redhat.com> wrote:
On 08/10/2017 04:47 PM, Harald Dunkel wrote:
Hi folks,
On Wed, 2 Aug 2017 16:24:00 +0200
Florence Blanc-Renaud <f...@redhat.com> wrote:
Hi,
You can follow the steps described here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext
ipa-cacert-manage renew --external-ca will create a CSR file that can be
sent to the new certificate authority. You will then receive a new cert
for IPA + a new CA chain that will be used in ipa-cacert-manage renew
--external-cert-file.
HTH,
Flo
The renewal seems to have succeeded. I see both old and new
certificate in /etc/pki/pki-tomcat/alias or /etc/ipa/nssdb .
/etc/ipa/ca.crt contains the new root certificate as well.
Problem: If I access the ipa admin web interface
https://ipa1.example.com/
then it still uses the old certificate chain. Question is:
How can I tell freeipa to stop using the old certificate?
Every helpful comment is highly appreciated
Harri
Hi,
(I am putting the list back in copy of the mail thread)
Sorry, wrong reply button.
The command 'ipa-cacert-manage renew' updates IPA CA certificate but
does not trigger a renewal of all the certificates that were delivered
by your previous IPA CA. Those certificates are still valid and can be
used by HTTPd for instance. This is why you still see the previous cert
chain when you connect to the web GUI.
When the certificates reach their expiration date, they will
automatically be renewed, i.e. replaced by new ones signed by the new
IPA CA. If you want to renew them in advance, you can use the tool
ipa-getcert resubmit.
Thanx very much for your help on this issue.
ipa-getcert resubmit seems to work, but I wonder if there is a way
to blacklist the old CA at a central location, making all the certmongers
running somewhere out there to refresh all their monitored certificates
asap?
Hi,
as far as I know, it is not possible to perform this with a single command.
HTH,
Flo
Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
