Hello, Using freeipa 4.5.
I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA. I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported. I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias' When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA. I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA. How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards? Thanks, Steve
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org