[Freeipa-users] Re: Replacing externally signed CA long before expiry

Tue, 19 Dec 2017 08:19:03 -0800 

On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:

Hello,

Using freeipa 4.5.
I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA.
I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported.
I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias'
When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA. 


Hi,
you changed the external root CA when renewing IPA CA, meaning that IPA CA has a new cert chain containing the ext root CA, but IPA CA keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM".
The command resubmit asks IPA CA to renew the Server-Cert. So it is expected that you see the same "old ipa intermediate CA" as issuer of your Server-Cert for HTTPd.
I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA.
This is a bug tracked in issue 7316: The Issuer DN field in IPA is not updating properly [1]. The webui and the command ipa ca-show ipa read the issuer name from an LDAP entry that is not updated. But if you look at the content of the certificate, you will be able to check that the issuer is indeed the new external root CA.
How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards? 


Thanks,
Steve


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



HTH,
Flo

[1] https://pagure.io/freeipa/issue/7316
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to