Florence Blanc-Renaud via FreeIPA-users wrote: > On 1/20/20 1:54 AM, Rob Foehl via FreeIPA-users wrote: >> On Mon, 20 Jan 2020, Fraser Tweedale wrote: >> >>> On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users >>> wrote: >>>> On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote: >>>> >>>>> The question remains: how do I get rid of the self-signed CA entirely? >>>> >>>> Best hint toward this I've managed to find thus far is in the >>>> comments on >>>> https://pagure.io/freeipa/issue/7283 , with got me as far as the >>>> cACertificate and ipaCertIssuerSerial entries corresponding to the >>>> extraneous self-signed cert... If I remove those and the cert from the >>>> NSSDBs, then what? Reissue all dependent certs in the IPA CA chain? >>>> >>> If the IPA CA's key and subject did not change, then there is no >>> need to reissue end-entity or other subordinate certificates. Only >>> the IPA CA certificate needs to be renewed (from self-signed to >>> externally signed) and distributed. >> >> I did that already. Newly (re)issued certificates do not have their >> expiration times bound to the externally-signed CA. Anything with >> copies of both CA certs (as fetched by ipa-certupdate, which in and of >> itself is a nightmare) feeds only the self-signed CA chain to clients, >> not the correct intermediate cert, breaking everything that only knows >> about the external root. >> >> Any chance we could just stick to the question of how to completely >> purge the self-signed cert from existence? >> > Sure, you can follow a manual process to remove the self-signed cert: > 1- use ldapmodify in order to remove the cert from the LDAP database. > You need first to find the exact dn, and then the exact > cACertificate;binary attribute to delete. It will be stored below > cn=certificates,cn=ipa,cn=etc,$BASEDN. > > 2- on all the IPA servers, use "certutil -D -d </path/to/db> -n > <nickname>" to remove the cert from the following databases: > /etc/dirsrv/slapd-DOMAIN-COM > /etc/httpd/alias > /etc/pki/pki-tomcat/alias/ > /etc/ipa/nssdb > > 3- on all IPA servers and clients, run ipa-certupdate, this command will > remove the cert from > /usr/share/ipa/html/ca.crt > /var/kerberos/krb5kdc/cacert.pem > /etc/ipa/ca.crt > /var/lib/ipa-client/pki/kdc-ca-bundle.pem > /var/lib/ipa-client/pki/ca-bundle.pem > > But as Fraser pointed out, there is no need to re-issue the other certs.
He wants to re-issue them because while they are validly signed by the right key they aren't bound by the dates of the CA apparently. I suppose for each one you could resubmit the certmonger request to force a new cert to be issued. The re-issued cert should conform to the CA validity period. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
