On 12/14/2017 05:09 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo, Rob,

On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

The files should contain multiple certificates (IPA CA and the external CA certificates). If it is not the case, please check first if there were AVC issues (if running in SElinux enforcing mode), and feel free to file a bug.


You are right, its a set of certificates.

One last question: Is it safe to drop the old root CA from the
certutil database? Its no longer in LDAP, anyway. "getcert list"
doesn't mention any certificates derived from the old PKI, either.


I highly appreciate your support and patience

Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

"getcert list" only shows the certificates tracked by certmonger. Before dropping the old root CA, I would check with certutil if the NSS db contains valid certificates signed by the old root CA. If it is not the case, you are safe to remove it (anyway, it would be easy to re-add it, just keep a saved copy with certutil -L -d $nssdb -n $oldrootCA -a -o oldrootca.crt)

Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to