> Run ipa-certupdate on all IPA-enrolled machines, including servers, to > update local files.
Thanks. I ran ipa-certupdate on a client and I see that it completed successfully. The output of `certutil -L -d /etc/ipa/nssdb/` shows a second `DOMAIN IPA CA` now with the new certificate with the new expiration date. It still has the old cert as well which is expected. However, `/etc/ipa/ca.crt` changed in file size AND the filesystem modified data changed to the time where ipa-certupdate was ran today. but the output of `openssl x509 -inform pem -enddate -noout -in /etc/ipa/ca.crt` is still "notAfter=Aug 10 21:29:31 2020 GMT" -rw-r--r--. 1 root root 12351 Aug 6 12:20 ca.crt -rw-r--r--. 1 root root 4145 Aug 6 12:20 ca.crt.original When I ran `ipa-certupdate -v` it showed a "File not found" for `IPA CA` but then it found `DOMAIN IPA CA` so that's probably not relevant. So far it looks like everything updates but ca.crt does not show the updated cert. Is this something that can be changed so that ca.crt is also showing the correct certificate? K _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
