> Trust to Active Directory does not rely on any CA certificate or certificate > properties from Active Directory. Many Active Directory forests do not have > integrated CA at all. Thanks. That makes me feel a lot better about tonight.
> However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might > be affected. Please clarify whether this is indeed the case. I can confirm that we do NOT have IPA setup as a sub-CA. There was actually a complicated conversation about that specific topic when we were in the midst of deploying. 1 week after having RHEL consultants on site, one of my colleagues made me re-deploy the entire cluster again, because he wanted the sub-CA. After even more back and forth with our Corporate AD team, and testing, we re-deployed yet again without the sub-CA. It was a fiasco. The consultant was great. My colleagues were not. Felt like the longest 3 weeks of my life, with requirements changing on me every other day. LOL. Thank you! On 6/24/20, 8:13 AM, "Alexander Bokovoy" <[email protected]> wrote: On ke, 24 kesä 2020, White, David via FreeIPA-users wrote: >We have IdM / FreeIPA running on RHEL 7 boxes. >This is a 6-node cluster that has an existing 1-way trust back to >Active Directory. > >IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following command: >ipa trust-add --type=ad example.com --admin admin_user > >We just learned very recently that our Active Directory team is >generating and installing a new Root CA certificate into AD. That is >happening tonight at 9pm. > >The existing Root CA will remain in place until it expires in about 1 month. > >Is there anything that we will have to do to IdM to get it to trust the >new certificate? Trust to Active Directory does not rely on any CA certificate or certificate properties from Active Directory. Many Active Directory forests do not have integrated CA at all. So for the trust to AD specifically, this is not an issue. However, if you have deployed IPA CA as a sub-CA of existing AD CA, you might be affected. Please clarify whether this is indeed the case. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
