On 6/30/23 12:38, Rob Crittenden wrote:
The CA is stored in the NSS database /etc/pki/pki-tomcat/alias. You can use pk12util to extract it into a PKCS#12, then extract that and you'll have the CA. This would keep the CA trust the same but with a fresh install you'd need new keytabs for any enrolled clients.
FYI< I ran into an issue trying to re-use the root CA from the existing install. ipa-server-install won't accept the --external-cert-file option unless it's previously been run with --external-ca. And, of course, the pre-existing CA certificate and key don't match the CSR (and presumably the private key) that are used to create the CSR. I'm starting to suspect that it will be easier to just accept that I'm going to have to use a new root CA, rather than trying to re-use the old one. -- ======================================================================== Google Where SkyNet meets Idiocracy ======================================================================== _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue