Hi folks, I have to renew (or replace) the externally signed certificate on my ipa servers using a new ca. Apparently the tool of choice is ipa-cacert-manage.
Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal. Problem is, I cannot estimate the risk and if its worth the effort. What happens to freeipa if ipa-cacert-manage fails miserably? Does it affect the LDAP database or Kerberos? Will it break the connection between my ipa servers or between servers and clients? Would you suggest to forget all the "CA stuff" in freeipa and manage the certificates externally? The platform of the ipa servers is Centos 7.3. There are 100+ Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2. I am highly concerned. Every helpful comment is appreciated. Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project