Using freeipa 4.5.

I've replaced an external root CA that had a very short key, and have gone
through the process of resigning the ipa intermediate-CA.

I've used ipa-cacert-manage to generate a new csr and have signed it with
my new external CA. The cert was successfully imported.

I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA
listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias'

When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an
ipa server the certificate is resubmitted, but its still being signed by
the old ipa intermediate-CA.

I also see in the web ui under Authentication -> Certificates ->
Certificate Authorities that only one ca named 'ipa' exists, and I can see
the Issuer DN is still the old root CA.

How can I invalidate the old intermediate-CA so the new intermediate-CA is
used to sign certs going forwards?

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to