On 11/05/12 10:42, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 11/05/12 10:25, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> I hope I haven't missed it in searching around, but how does one update
>>>> the CA certificate in IPA?
>>>>
>>>> Though it is a year out from expiring I would rather know sooner than
>>>> later when it comes to this.
>>>
>>> Kudos for planning ahead!
>>>
>>> What kind of CA do you have installed. Are you using a dogtag backend CA
>>> or did you install with the selfsign method?
>>>
>>> rob
>>>
>>
>> Using dogtag CA and it is replicated, though, and I am not sure if this
>> makes an difference, it is a subordinate CA that has been issued by an
>> AD PKI setup.
> 
> You'll need to start with your AD PKI. I'm assuming it is expiring as
> well since the IPA CA validity period is limited by its issuer. Are you
> going to rekey the AD CA or renew the current CA cert?
> 
> rob
> 

Subordinate CAs from the AD by default are only valid for two years,
whereas by default the CA for the AD is valid for 10 years. So only the
subordinate cert is being reissued.

The key won't be changing on the IPA end, just the cert. Normally this
would just be an import new cert type thing, but I am unsure in the IPA
environment.

Make sense?
-Erinn


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to