I am running ipa-server 4.6.6 with the same version clients. This IPA server has been around since pre-v1 and has been upgraded till the current version that is shipped with Centos7. The IPA CA Cert was/is set to expire on Aug 10, 2020.
On the server that is the IPA CA renewal master, I checked the output of `getcert list` and the CA with the certificate "subject: CN=Certificate Authority,O=DOMAIN.COM" and nickname nickname='caSigningCert cert-pki-ca' is shown as renewed till 2040. All other certs that appear in that list are updated without intervention to 2022. It's located at `location='/etc/pki/pki-tomcat/alias'`. So far so good; BUT I noticed that /etc/ipa/ca.crt on the same server shows as still expiring on August 10: # openssl x509 -inform pem -enddate -noout -in /etc/ipa/ca.crt notAfter=Aug 10 21:29:31 2020 GMT So that means that the caSigningCert cert-pki-ca is set to automatically renew for 20 years But the IPA CA Cert is not. Next, I saw that there are certs located in /etc/pki/pki-tomcat/alias, /etc/ipa/nssdb/, /etc/httpd/alias/, and /etc/pki/nssdb/. My questions: * Is my self-signed IPA CA Cert supposed to be automatically renewed? * Or is it required that I run `ipa-cacert-manage renew` on the IPA CA renewal master, and then `ipa-certupdate` on all the other server replicas and clients? * Why do I appear to have duplicate DOMAIN IPA CA certs listed in /etc/ipa/nssdb/, /etc/httpd/alias/? Is one location deprecated? Thank you for your help! _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
