On 01/12/2017 02:57 PM, Jeff Goddard wrote:
I've had issues with expired certificates. In the course of
troubleshooting I've somehow set the cas to external. Is there a way I
can switch back?

[root@id-management-1 conf]# getcert list-cas
CA 'SelfSign':
        is-default: no
        ca-type: INTERNAL:SELF
        next-serial-number: 01
CA 'IPA':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/ipa-server-guard
/usr/libexec/certmonger/ipa-submit
CA 'certmaster':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/certmaster-submit
CA 'dogtag-ipa-renew-agent':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/ipa-server-guard
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
CA 'local':
        is-default: no
        ca-type: EXTERNAL
        helper-location: /usr/libexec/certmonger/local-submit
CA 'dogtag-ipa-ca-renew-agent':
        is-default: no
        ca-type: EXTERNAL
        helper-location:
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -vv

Thanks,

Jeff



Hi Jeff,

the following documentation explains how to change the certificate chain from externally-signed to self-signed:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/change-cert-chaining.html

HTH,
Flo.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to