Which 'FreeIPA certificate' are you referring to? If you installed
FreeIPA CA-less, then the root certificate was used to sign LDAP and
HTTPd certificates and you can follow this page  to use a different
CA and replace LDAP and HTTPd certs.
If you installed IPA with an integrated CA, then the root certificate
was used to sign IPA CA certificate, and the other certificates used by
FreeIPA were signed by IPA CA. In this case you would have to replace
IPA CA with  and then renew LDAP and HTTPd certificates .
On 03/10/2017 01:16 PM, Harald Dunkel wrote:
I stumbled over this problem:
The details don't really matter. The important point is that
the root certificate used to sign freeipa's certificate
appears to be unacceptable on openBSD and maybe others.
What would you suggest? Is there a guideline to migrate
freeipa to a new certificate authority?
Every helpful comment is highly appreciated
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project