Hi, We recently renewed our IPA CA cert using the "ipa-cacert-manage renew” command. The renewal was successful, and our CA cert no longer expires in 2020, but in 2040.
Running “ipa-certupdate” on existing IPA clients and ipa-client-install on new IPA clients also works, however both the new and the old CA cert is pulled down to the IPA client and stored in /etc/ipa/ca.crt. This creates some issues as most applications reading /etc/ipa/ca.crt only reads the first entry, which happens to be the old CA cert. For the moment everything works OK as the old CA cert is still valid, however this will become a major issue in a few months time. Is this expected? To continue to service both the old and the new CA certificate to old and new IPA clients? Will the old certificate be automatically removed at some point? If not, what is the safe steps to remove the old CA certificate from the IPA servers? Thanks. Regards, Siggi _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
