On 03/12/2015 12:48 PM, crony wrote: > Thank you David, I'll check it out. > > 2015-03-12 12:36 GMT+01:00 David Kupka <dku...@redhat.com>: > >> On 03/12/2015 10:37 AM, crony wrote: >> >>> Hi FreeIPA Users, >>> I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would >>> like to change the self-sign CA to the external CA >>> >>> Do you have any step by step document for do it correctly on 4.1 version? >>> >>> /lm >>> >>> >>> >>> >> Hello! >> >> I'm not aware of this being documented but fortunately this can be done in >> 3 easy steps: >> >> 1. # ipa-cacert-manage renew --external-ca >> 2. Let CA of your choice sing the CRL produced in step 1. >> 3. # ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate >> --external-cert-file=/path/to/external_ca_certificate
Some documentation can be found in RHEL guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cas.html#change-cert-chaining There is also upstream design page: http://www.freeipa.org/page/V4/CA_certificate_renewal But in general, David was right. You would just need to do one more step if you had FreIPA clients already enrolled - call ipa-certupdate on them. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project