Thank you very much for detailed and honest answer, Alexander. Based on what you wrote, I think I will bite the bullet and just start everything "fresh" with regards to the root CA. I don't have tons of LDAPS clients, so I'm willing to go through the hassle of changing their configured root CA in order to start with a fresh one. In order to ease the transition from IdM to FreeIPA, I'll most likely run both clusters in parallel (making sure to put all new user/group changes in FreeIPA only) so that I can switch over the LDAP clients gradually. As for the passwords, if I had any doubts, now I'm convinced that it's just safer and easier (if not convenient) to start anew here as well.
And thanks for that link to the Fraser articles. Should be some interesting reading for me; I definitely need to acquaint myself more with how FreeIPA and its handling of certificates. Regards, -Martin _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue