On 03/04/2015 04:32 PM, sipazzo wrote:
Good afternoon, we have a freeipa 3.0.42 installation running on
redhead 6.6 with a mix of rhel 5, rhel6 and Solaris clients. It was
originally configured with the built in dogtag certificate CA and then
one of my co-workers added our GoDaddy certificate to the certificate
bundle. My understanding is this cert is used for communication
between the ipa servers as well as the clients are also configured to
trust the GoDaddy certificate. We recently had to get a new GoDaddy
cert so our old one is revoked. I need to figure out how to either
replace the existing revoked cert with the new one or add the new one
to the bundle and then remove the revoked certificate so as not to
break anything.
Any help is appreciated. I am not strong with certificates so the more
detail you can give the better.
Thank you.
You say it was running with the self signed IPA CA and than GoDaddy cert
was added to the bundle. How was it added?
IPA does not use certs for communication between the instances. It uses
Kerberos. I am not sure the DoDaddy cert you added is even used in some
way by IPA.
It seems that your GoDaddy cert is an orthogonal trust so if you
replaced the main key pair then you just need to distribute your new
GoDaddy cert to the clients as you did on the first place.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project