On 1/20/20 1:54 AM, Rob Foehl via FreeIPA-users wrote:
On Mon, 20 Jan 2020, Fraser Tweedale wrote:
On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users
wrote:
On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:
The question remains: how do I get rid of the self-signed CA entirely?
Best hint toward this I've managed to find thus far is in the
comments on
https://pagure.io/freeipa/issue/7283 , with got me as far as the
cACertificate and ipaCertIssuerSerial entries corresponding to the
extraneous self-signed cert... If I remove those and the cert from the
NSSDBs, then what? Reissue all dependent certs in the IPA CA chain?
If the IPA CA's key and subject did not change, then there is no
need to reissue end-entity or other subordinate certificates. Only
the IPA CA certificate needs to be renewed (from self-signed to
externally signed) and distributed.
I did that already. Newly (re)issued certificates do not have their
expiration times bound to the externally-signed CA. Anything with
copies of both CA certs (as fetched by ipa-certupdate, which in and of
itself is a nightmare) feeds only the self-signed CA chain to clients,
not the correct intermediate cert, breaking everything that only knows
about the external root.
Any chance we could just stick to the question of how to completely
purge the self-signed cert from existence?
Sure, you can follow a manual process to remove the self-signed cert:
1- use ldapmodify in order to remove the cert from the LDAP database.
You need first to find the exact dn, and then the exact
cACertificate;binary attribute to delete. It will be stored below
cn=certificates,cn=ipa,cn=etc,$BASEDN.
2- on all the IPA servers, use "certutil -D -d </path/to/db> -n
<nickname>" to remove the cert from the following databases:
/etc/dirsrv/slapd-DOMAIN-COM
/etc/httpd/alias
/etc/pki/pki-tomcat/alias/
/etc/ipa/nssdb
3- on all IPA servers and clients, run ipa-certupdate, this command will
remove the cert from
/usr/share/ipa/html/ca.crt
/var/kerberos/krb5kdc/cacert.pem
/etc/ipa/ca.crt
/var/lib/ipa-client/pki/kdc-ca-bundle.pem
/var/lib/ipa-client/pki/ca-bundle.pem
But as Fraser pointed out, there is no need to re-issue the other certs.
flo
-Rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
