We're in the process of decomissioning our oldest IPA servers (built in 2014). We've migrated the roles successfully and are making sure everything is ready to switch over to the new set, and just wanted to check a few observations/inconsistencies.
* On some of our newer clients /etc/ipa/ca.crt contains the root and the server certificate of the enrolment server instead of just the root - did the behaviour of ipa-client-install change at some point? * Our root contains the OCSP URI of one of the servers to be decomissioned in the Authority Information Access field. My understanding is that a client would never do an OCSP lookup on a root certificate so do we need to re-sign or add a CNAME prior to switching off? * When enroling a client, ipa-client-install pulls down an expired RA certificate - however /var/lib/ipa/ra-agent.pem on all servers is current. Where might the expired cert be stored? Doesn't appear to cause an issue in any case. Adam _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
