Erinn Looney-Triggs wrote:
On 11/05/12 10:42, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/05/12 10:25, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
I hope I haven't missed it in searching around, but how does one update
the CA certificate in IPA?

Though it is a year out from expiring I would rather know sooner than
later when it comes to this.

Kudos for planning ahead!

What kind of CA do you have installed. Are you using a dogtag backend CA
or did you install with the selfsign method?


Using dogtag CA and it is replicated, though, and I am not sure if this
makes an difference, it is a subordinate CA that has been issued by an
AD PKI setup.

You'll need to start with your AD PKI. I'm assuming it is expiring as
well since the IPA CA validity period is limited by its issuer. Are you
going to rekey the AD CA or renew the current CA cert?


Subordinate CAs from the AD by default are only valid for two years,
whereas by default the CA for the AD is valid for 10 years. So only the
subordinate cert is being reissued.

The key won't be changing on the IPA end, just the cert. Normally this
would just be an import new cert type thing, but I am unsure in the IPA

Make sense?

Renewing a CA signing certificate with the same key pair is a much simpler.

Here is a link on how to do so:

look under
2.7.3. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period


Freeipa-users mailing list

Reply via email to