Which 'FreeIPA certificate' are you referring to? If you installed FreeIPA CA-less, then the root certificate was used to sign LDAP and HTTPd certificates and you can follow this page [1] to use a different CA and replace LDAP and HTTPd certs.

If you installed IPA with an integrated CA, then the root certificate was used to sign IPA CA certificate, and the other certificates used by FreeIPA were signed by IPA CA. In this case you would have to replace IPA CA with [2] and then renew LDAP and HTTPd certificates [3].


[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/third-party-certs-http-ldap.html

[2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext

[3] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/replace-HTTP-LDAP-cert.html

On 03/10/2017 01:16 PM, Harald Dunkel wrote:
Hi folks,

I stumbled over this problem:


The details don't really matter. The important point is that
the root certificate used to sign freeipa's certificate
appears to be unacceptable on openBSD and maybe others.

What would you suggest? Is there a guideline to migrate
freeipa to a new certificate authority?

Every helpful comment is highly appreciated

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to