On ke, 24 kesä 2020, White, David via FreeIPA-users wrote:
We have IdM / FreeIPA running on RHEL 7 boxes.
This is a 6-node cluster that has an existing 1-way trust back to
Active Directory.
IdM is still acting as the CA for its own clients, and when we setup the trust,
we used the following command:
ipa trust-add --type=ad example.com --admin admin_user
We just learned very recently that our Active Directory team is
generating and installing a new Root CA certificate into AD. That is
happening tonight at 9pm.
The existing Root CA will remain in place until it expires in about 1 month.
Is there anything that we will have to do to IdM to get it to trust the
new certificate?
Trust to Active Directory does not rely on any CA certificate or
certificate properties from Active Directory. Many Active Directory
forests do not have integrated CA at all.
So for the trust to AD specifically, this is not an issue.
However, if you have deployed IPA CA as a sub-CA of existing AD CA, you
might be affected. Please clarify whether this is indeed the case.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
