On Tue, Mar 20, 2018 at 08:22:53AM -0500, Kirk VanOpdorp via FreeIPA-users wrote: > I have an external CA that I need to renew due to the root CA expiring soon > and they grumbled at the CA subject last time and I suggested I would look > into changing it. I don't see any route via the ipa-cacert-manage renew to > change the subject but I'd be up for investigating if you have any general > guidance on what may be involved to get it to work. I don't know if there > are a lot of things tied to the CA subject in the inner workings of the > system that may result in unexpected results but I can work through that > also and provide feedback. > Hi Kirk,
Changing the CA subject DN is a drastic measure. Many problems can arise. I blogged about this last year. The first post discusses why you should not do this and the problems that arise, and the second post discusses how to change the CA subject DN in FreeIPA. https://frasertweedale.github.io/blog-redhat/posts/2017-11-20-changing-ca-subject-dn-part-i.html https://frasertweedale.github.io/blog-redhat/posts/2017-11-22-changing-ca-subject-dn-part-ii-freeipa.html If you proceed with this, good luck! Let us know how it goes. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org