Hi Wim, Sorry for delayed reply. I was on leave for a few weeks. Glad you reached a happy outcome.
It seems irrelevant now but FWIW I was not able to access the files on Google Drive. Cheers, Fraser On Wed, Sep 12, 2018 at 11:50:44AM +0200, Wim Vinckier via FreeIPA-users wrote: > Hi, > > We decided to follow this guide and just replace the certificate of the > webserver and ldap: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP It > did what wanted to do, for now. Maybe we will switch the CA later on. > > Kind regards, > > Wim Vinckier. > > On Wed, 5 Sep 2018 at 17:30, Wim Vinckier <wimp...@gmail.com> wrote: > > > Hi, > > > > You can find the files at > > https://drive.google.com/drive/folders/1KsMv4NZ07LU0tSFyy-FgA88uYalthCXz?usp=sharing > > > > Kind regards, > > > > Wim Vinckier. > > > > On Mon, 3 Sep 2018 at 07:42, Wim Vinckier <wimp...@gmail.com> wrote: > > > >> Hi Fraser, > >> > >> We did use the command twice. Once to generate the CSR and a second time > >> to to supply the new certificates. > >> > >> I'll check with our security agent if I may supply the certificates. I'm > >> afraid I may not supply them because of the firm security policies. > >> > >> Kind regards, > >> > >> wim vinckier. > >> > >> On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftwee...@redhat.com> wrote: > >> > >>> On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users > >>> wrote: > >>> > Hi All, > >>> > > >>> > We are using our own (selfsigned) root CA for our installations. We > >>> just > >>> > started to use ipa and after exploring the possibilities we want to > >>> switch > >>> > to the root CA we normally use. According to [1] it should be done > >>> using > >>> > these instruction [2]. When we tray to renew the certificate we get > >>> this > >>> > error: > >>> > > >>> > [root@ipa ~]# ipa-cacert-manage renew > >>> > --external-cert-file=/root/Certificate_Authority.pem > >>> > --external-cert-file=root.cer > >>> > t > >>> > Importing the renewed CA certificate, please wait > >>> > CA certificate chain in /root/Certificate_Authority.pem, root.cert is > >>> > incomplete: missing certificate with subject 'CN=Example SCRL' > >>> > The ipa-cacert-manage command failed. > >>> > > >>> > When we check the subject of the file, it seems to be correct to me: > >>> > > >>> > [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert > >>> > subject= /CN=Example SCRL > >>> > > >>> > Is there anyone who can help me with this? > >>> > > >>> > Kind regards, > >>> > > >>> > wim vinckier. > >>> > > >>> Dear Wim, > >>> > >>> Did you first run `ipa-cacert-manage renew --external-ca` to > >>> generate the CSR for submission to the new CA. Then you invoke > >>> `ipa-cacert-manage renew` a second time, supplying the new IPA CA > >>> certificate and superior CA certificate(s) via the > >>> `--external-cert-file` option. > >>> > >>> If you did these steps, then please convey your certificates so we > >>> can inspect them and determine what the problem is. > >>> > >>> Cheers, > >>> Fraser > >>> > >> > >> > >> -- > >> I would love to change the world, but they wont give me the source code. > >> > > > > > > -- > > I would love to change the world, but they wont give me the source code. > > > > > -- > I would love to change the world, but they wont give me the source code. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org