On Fri, Mar 10, 2017 at 01:16:42PM +0100, Harald Dunkel wrote:
> Hi folks,
> I stumbled over this problem:
> The details don't really matter. The important point is that
> the root certificate used to sign freeipa's certificate
> appears to be unacceptable on openBSD and maybe others.
> What would you suggest? Is there a guideline to migrate
> freeipa to a new certificate authority?
> Every helpful comment is highly appreciated
The issue in that thread was resolved. It was caused by invalid
encoding of the notAfter field. I think OpenBSD uses LibreSSL in
their base system - and I guess it adheres more strictly to RFC 5280
than other implementations.
As for migrating to a new CA (or merely installing a newer
certificate for the original CA, with correct encoding), you can do
it via ipa-cacert-mangage(1).
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project