On ke, 04 maalis 2020, Sigbjorn Lie via FreeIPA-users wrote:
Hi,
We recently renewed our IPA CA cert using the "ipa-cacert-manage renew”
command. The renewal was successful, and our CA cert no longer expires
in 2020, but in 2040.
Running “ipa-certupdate” on existing IPA clients and ipa-client-install
on new IPA clients also works, however both the new and the old CA cert
is pulled down to the IPA client and stored in /etc/ipa/ca.crt.
This creates some issues as most applications reading /etc/ipa/ca.crt
only reads the first entry, which happens to be the old CA cert.
For the moment everything works OK as the old CA cert is still valid,
however this will become a major issue in a few months time.
Is this expected? To continue to service both the old and the new CA
certificate to old and new IPA clients? Will the old certificate be
automatically removed at some point? If not, what is the safe steps to
remove the old CA certificate from the IPA servers?
Could you please detail what systems are not able to process multi-cert
ca.crt? Is that any of Debian/Ubuntu systems?
What applications you are encountering the problem with?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
