Using freeipa 4.5.
I've replaced an external root CA that had a very short key, and have gone
through the process of resigning the ipa intermediate-CA.
I've used ipa-cacert-manage to generate a new csr and have signed it with
my new external CA. The cert was successfully imported.
I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA
listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias'
When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an
ipa server the certificate is resubmitted, but its still being signed by
the old ipa intermediate-CA.
I also see in the web ui under Authentication -> Certificates ->
Certificate Authorities that only one ca named 'ipa' exists, and I can see
the Issuer DN is still the old root CA.
How can I invalidate the old intermediate-CA so the new intermediate-CA is
used to sign certs going forwards?
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org