Yeah I knew that the passync utility would only communicate with 1 server. 
I'm not too worried about password sync for our new IdM server until it 
actually replaces the old server.
I just didn't know how Windows would handle having multiple CA certs and if it 
would get cranky because of it. Last thing I want to do is have users coming to 
complain about the passwords not syncing.

Thanks for the input guys, I'll give it a shot to see how it goes.


-----Original Message-----
From: Rich Megginson [] 
Sent: Thursday, July 09, 2015 10:37 AM
To: Rob Crittenden; Joseph, Matthew (EXP);
Subject: EXTERNAL: Re: [Freeipa-users] Multiple CA certificates (for PassSync)

On 07/09/2015 07:23 AM, Rob Crittenden wrote:
> Joseph, Matthew (EXP) wrote:
>> Hello,
>> We are currently in the process of replacing our IdM 3.x server with 
>> 4.x.
>> There are going to be some major directory changes during the upgrade so
>> I need to keep both the old and new IdM servers up and running 
>> separately.
>> Part of our configuration is using the password sync between IdM and
>> Active Directory.
>> I can't find any information on this so I figured I'd ask you guys to
>> see if anyone has done this before.
>> Can I have two CA certificates from 2 IdM servers installed on the
>> Active Directory server? And will this cause any issues with our
>> password sync?
> I'm not sure if you can do this. The CA is probably the least of your 
> problems. I don't believe the AD passsync service can be aware of 
> multiple consumers like this.

Right.  passsync can talk to only 1 IdM server.

To use multiple CA certs, just use the certutil tool to install an 
additional CA cert as per the docs.

> Rich may know.
> rob

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to