On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:
Hello,
Using freeipa 4.5.
I've replaced an external root CA that had a very short key, and have
gone through the process of resigning the ipa intermediate-CA.
I've used ipa-cacert-manage to generate a new csr and have signed it
with my new external CA. The cert was successfully imported.
I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA
listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias'
When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on
an ipa server the certificate is resubmitted, but its still being signed
by the old ipa intermediate-CA.
Hi,
you changed the external root CA when renewing IPA CA, meaning that IPA
CA has a new cert chain containing the ext root CA, but IPA CA keeps the
same subject name "CN=Certificate Authority,O=DOMAIN.COM".
The command resubmit asks IPA CA to renew the Server-Cert. So it is
expected that you see the same "old ipa intermediate CA" as issuer of
your Server-Cert for HTTPd.
I also see in the web ui under Authentication -> Certificates ->
Certificate Authorities that only one ca named 'ipa' exists, and I can
see the Issuer DN is still the old root CA.
This is a bug tracked in issue 7316: The Issuer DN field in IPA is not
updating properly [1]. The webui and the command ipa ca-show ipa read
the issuer name from an LDAP entry that is not updated. But if you look
at the content of the certificate, you will be able to check that the
issuer is indeed the new external root CA.
How can I invalidate the old intermediate-CA so the new intermediate-CA
is used to sign certs going forwards?
Thanks,
Steve
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
HTH,
Flo
[1] https://pagure.io/freeipa/issue/7316
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org