On Mon, 20 Jan 2020, Fraser Tweedale wrote:
On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users wrote:
On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:
The question remains: how do I get rid of the self-signed CA entirely?
Best hint toward this I've managed to find thus far is in the comments on
https://pagure.io/freeipa/issue/7283 , with got me as far as the
cACertificate and ipaCertIssuerSerial entries corresponding to the
extraneous self-signed cert... If I remove those and the cert from the
NSSDBs, then what? Reissue all dependent certs in the IPA CA chain?
If the IPA CA's key and subject did not change, then there is no
need to reissue end-entity or other subordinate certificates. Only
the IPA CA certificate needs to be renewed (from self-signed to
externally signed) and distributed.
I did that already. Newly (re)issued certificates do not have their
expiration times bound to the externally-signed CA. Anything with copies
of both CA certs (as fetched by ipa-certupdate, which in and of itself is
a nightmare) feeds only the self-signed CA chain to clients, not the
correct intermediate cert, breaking everything that only knows about the
external root.
Any chance we could just stick to the question of how to completely purge
the self-signed cert from existence?
-Rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
