> I just want to make sure we are using the same terminology. When you refer > to the root certificate, do you mean that IPA was installed with an > externally signed CA? If that's the case, it's expected that > /etc/ipa/ca.crt contains both the external CA and IPA CA. > Or are you referring to IPA CA?
Referring to the IPA CA - we don't have the root externally signed. > Where do you see this expired RA certificate? Clients do not have any RA > certificate, only servers do. It's during the client install process (and, subsequently, in /etc/ipa/ca.crt). Rob's comment above gave me enough of a clue to figure out that the server shouldn't be doing that and that the two cert issues are actually the same issue - the old servers seem to be serving up additional certs erroneously, but the new ones behave correctly. Adam _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
