Hi folks,

I have to renew (or replace) the externally signed certificate
on my ipa servers using a new ca. Apparently the tool of choice
is ipa-cacert-manage.

Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal.
Problem is, I cannot estimate the risk and if its worth the effort.
What happens to freeipa if ipa-cacert-manage fails miserably? Does it
affect the LDAP database or Kerberos? Will it break the connection
between my ipa servers or between servers and clients?

Would you suggest to forget all the "CA stuff" in freeipa and manage
the certificates externally?

The platform of the ipa servers is Centos 7.3. There are 100+
Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2.

I am highly concerned. Every helpful comment is appreciated.

Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to