[Freeipa-users] How to Delete IPA CA and sub-CA entries

roy liang via FreeIPA-users Tue, 05 Jul 2022 04:31:41 -0700

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I have generated my own CA and CA sub-certificates and successfully added them 
according to this document. Now I want to remove the previous CA and CA-related 
sub-certificates in the system. According to the steps in this document, I am 
currently stuck in this step.
https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html#delete-ipa-ca-and-sub-ca-entries
How do I do that


my linux ubuntu16.04  freeipa4.3

1:
#ldapsearch -Y GSSAPI -QLLL  -b cn=masters,cn=ipa,cn=etc,dc=yydevops,dc=com  
'(cn=CA)'
 dn: cn=CA,cn=migration-ipa-65-214.hiido.host.yydevops.com,cn=masters,cn=ipa,cn
 =etc,dc=yydevops,dc=com
objectClass: ipaConfigObject
objectClass: nsContainer
objectClass: top
ipaConfigString: enabledService
ipaConfigString: startOrder 50
ipaConfigString: caRenewalMaster
cn: CA
 
#ldapdelete -Y GSSAPI -Q 
cn=CA,cn=migration-ipa-65-214.hiido.host.yydevops.com,cn=masters,cn=ipa,cn=etc,dc=yydevops,dc=com
    
2：
#ldapsearch -h localhost -p 389 -D cn="directory manager"  -w directorypassxx   
-b cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com | grep ^dn:  

dn: cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com
dn: cn=YYDEVOPS.COM IPA CA,cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com
dn: cn=newca,cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com
 
ldapdelete -Y GSSAPI -Q "cn=YYDEVOPS.COM IPA 
CA,cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com"
    
3：
# certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/  -L
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

newca                                                        u,u,u
YYDEVOPS.COM IPA CA                                          CT,C,C
newca                                                        C,,  

#certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/  -D -n 'YYDEVOPS.COM IPA CA'
#certutil -d /etc/ipa/nssdb  -D -n 'YYDEVOPS.COM IPA CA'

4：
#ldapsearch -Y GSSAPI -QLLL -b dc=yydevops,dc=com '(objectclass=ipaca)' 1.1
I can't find any iPACA entry certificate here, why?How do I delete the original 
sub-ca entries for this system

5：
Are the entries in ipacaACL sub-ca entries? Can I delete this entry? ipaca and 
ipacaacl Will it make any difference? 
root@migration-ipa-65-214:~/new_ca# ldapsearch -Y GSSAPI -QLLL -b 
dc=yydevops,dc=com  | grep ipaca
ipaReplTopoManagedSuffix: o=ipaca
objectClass: ipacaacl
ipaReplTopoConfRoot: o=ipaca
ipaPermTargetFilter: (objectclass=ipacaacl)
ipaPermTargetFilter: (objectclass=ipacaacl)
ipaPermTargetFilter: (objectclass=ipacaacl)
ipaPermDefaultAttr: ipacacategory
ipaPermTargetFilter: (objectclass=ipacaacl)
ipaPermTargetFilter: (objectclass=ipacaacl)
ipaPermDefaultAttr: ipacacategory

root@migration-ipa-65-214:~/new_ca# ldapsearch -Y GSSAPI -QLLL -b 
dc=yydevops,dc=com '(objectclass=ipacaacl)' 1.1
dn: ipaUniqueID=05c04bac-fc16-11ec-a218-246e967383f8,cn=caacls,cn=ca,dc=yydevo
 ps,dc=com
 
Can I delete this entry? 
ldapdelete -Y GSSAPI -Q 
ipaUniqueID=05c04bac-fc16-11ec-a218-246e967383f8,cn=caacls,cn=ca,dc=yydevo

If not, how do I delete sub-ca entries? request guidance, thank you very much
     
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] How to Delete IPA CA and sub-CA entries

Reply via email to