On 1/13/20 10:58 AM, Rob Foehl via FreeIPA-users wrote:
On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:
The question remains: how do I get rid of the self-signed CA entirely?
Hi Rob,
there is currently no easy way to do this, except using a lot of manual
commands. For info, we already have a ticket to enhance
ipa-cacert-manage with a subcommand allowing to remove a cert:
https://pagure.io/freeipa/issue/8124
Best hint toward this I've managed to find thus far is in the comments
on https://pagure.io/freeipa/issue/7283 , with got me as far as the
cACertificate and ipaCertIssuerSerial entries corresponding to the
extraneous self-signed cert... If I remove those and the cert from the
NSSDBs, then what? Reissue all dependent certs in the IPA CA chain?
What do I do about the rest of the mess it's created, and/or preventing
future problems? Bug ticket for the erroneous self-signed renewal?
If the issue is reproducible, then yes, we do need to fix the problem.
Please open an issue at https://pagure.io/freeipa/new_issue
Thanks,
flo
-Rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
