On Mon, Jan 30, 2023 at 11:27:47AM +0000, Schrock, Chad - 0336 - MITLL via
FreeIPA-users wrote:
>
>
> Hi everyone,
>
>
>
> We have a small-ish RHEL 7 IdM (4.6.8) domain that is currently running with
> a self-signed root CA. All is well and good, except we've been told that we
> have to play nice with the rest of the organization now, which includes
> changing the self-signed root CA in to an intermediate CA.
>
>
>
> I remember a discussion on here about converting an IdM root CA in to an
> intermediate CA, but for the life of me I can't find the discussion or any
> related documentation. (Was I hallucinating?)
>
>
>
> So:
>
> * Is what I'm talking about even possible?
> * If it is possible, is there some documentation somewhere where I can
> read up on the process and potential risks?
> * If it isn't possible, short of creating a new domain[1] and moving
> all of the clients to it, what might work here?
>
It is possible and supported. See docs:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_certificates_in_idm/index#renew-with-externally-signed-CA_ipa-ca-renewal
See also ipa-cacert-manage man page. Command is:
ipa-cacert-manage renew --external-ca
But you may need extra args if the external issuer is AD-CS.
Thanks,
Fraser
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
