rui liang via FreeIPA-users wrote: > https://frasertweedale.github.io/blog-redhat/posts/2019-05-24-ipa-cert-fix.html > What does ipa-cert-fix do? > In brief, the steps performed by ipa-cert-fix are: > > Inspect deployment to work out which certificates need renewing. This > includes both Dogtag system certificates, FreeIPA-specific certificates > (HTTP, LDAP, KDC and IPA RA). > Print intentions and await operator confirmation. > Invoke pki-server cert-fix to renew expired certificates, including > FreeIPA-specific certificates. > Install renewed FreeIPA-specific certificates to their respective locations. > If any shared certificates were renewed (Dogtag system certificates excluding > HTTP, and IPA RA), import them to the LDAP ca_renewal subtree and set the > caRenewalMaster configuration to be the current server. This allows CA > replicas to pick up the renewed shared certificates. > Restart FreeIPA (ipactl restart). > > This feature was released after version 4.6, so it can be handled manually in > earlier versions, right?But what exactly is going on in this one, does > anybody know?
ipa-cert-fix is a wrapper around pki-server cert-fix. This allows for offline certificate renewal and was created to aid in situations exactly like this. It does not exist for prior versions of IPA and I'm not aware of a manual way to do the same thing other than the previous suggestions. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
