On Mon, 20 Jan 2020, Rob Crittenden wrote:
Florence Blanc-Renaud via FreeIPA-users wrote:
Sure, you can follow a manual process to remove the self-signed cert:
1- use ldapmodify in order to remove the cert from the LDAP database.
You need first to find the exact dn, and then the exact
cACertifi
On Mon, 20 Jan 2020, Fraser Tweedale wrote:
On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users wrote:
On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:
The question remains: how do I get rid of the self-signed CA entirely?
Best hint toward this I've managed to
On Thu, 16 Jan 2020, Florence Blanc-Renaud wrote:
On 1/13/20 10:58 AM, Rob Foehl via FreeIPA-users wrote:
On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:
The question remains: how do I get rid of the self-signed CA entirely?
Hi Rob,
there is currently no easy way to do this
On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote:
The question remains: how do I get rid of the self-signed CA entirely?
Best hint toward this I've managed to find thus far is in the comments on
https://pagure.io/freeipa/issue/7283 , with got me as far as the
cACertificat
On Thu, 2 Jan 2020, Florence Blanc-Renaud wrote:
On 1/2/20 7:24 AM, Rob Foehl via FreeIPA-users wrote:
Went to renew an externally-signed IPA CA certificate that was valid
through today, and discovered that FreeIPA had decided to renew it with a
self-signed cert a month ago, and had since
Went to renew an externally-signed IPA CA certificate that was valid
through today, and discovered that FreeIPA had decided to renew it with a
self-signed cert a month ago, and had since reissued all other subsystem
certs against that self-signed CA. After running through the
ipa-cacert-manage
On Mon, 12 Nov 2018, Rob Foehl via FreeIPA-users wrote:
On Tue, 13 Nov 2018, Fraser Tweedale wrote:
Can you please clarify, what is the procedure to rebuild the master
via replication?
Honestly, no, as there isn't any clearly documented way to do this ;)
https://www.freeipa.org
On Tue, 13 Nov 2018, Fraser Tweedale wrote:
On Mon, Nov 12, 2018 at 07:55:33PM -0500, Rob Foehl wrote:
Incidentally, this is partly the result of not being able to upgrade in
place: an attempted 4.6.3 to 4.6.4 upgrade on F27 currently fails when
verifying the CA audit signing cert lifetime, as i
On Tue, 4 Dec 2018, Fraser Tweedale wrote:
On Tue, Dec 04, 2018 at 01:49:04AM -0500, Rob Foehl via FreeIPA-users wrote:
Is the service principal necessary just to satisfy this requirement?
It is required, but you can use the host principal, i.e.
"host/foo.example.com@YOUR.REALM".
On Tue, 4 Dec 2018, Fraser Tweedale wrote:
No significant differences for most use cases. If using only host
principals works for you, go ahead.
Probably should've tried it first... A request like this:
ipa-getcert request -f cert -k key -D test.example.com -w
fails with "The IPA backend r
Are there any practical differences between IPA-issued certificates for
hosts and services (ipa-getcert -K service/hostname for the latter), if
they're only being used to identify the host in a non-Kerberos-aware TLS
context?
I'd like to omit the service management if it's not useful in this c
On Tue, 13 Nov 2018, Fraser Tweedale wrote:
Can you please clarify, what is the procedure to rebuild the master
via replication?
Honestly, no, as there isn't any clearly documented way to do this ;)
https://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS
is about a
If I have a pair of IPA servers and need to reinstall the one currently
holding the CA master, is it actually necessary to promote the other one,
or can I just follow the procedure to rebuild the current master via
replication and then verify its CA configuration[1] after the fact?
Thanks,
-R
Noting that it's now possible to modify the CA certificate subject name at
install time in 4.5 and 4.6, is there any provision for doing so after an
upgrade to one of those releases with a cert that originated in a 4.4
instance? Possibly involving renewal of the (externally signed) CA cert,
if
On Mon, 19 Jun 2017, Rob Crittenden wrote:
Rob Foehl wrote:
On Thu, 15 Jun 2017, Rob Crittenden wrote:
Rob Foehl wrote:
Can I at least get a yes or no on whether external CA certificate
renewal has ever been tested when that certificate is nearing
expiration?
Yes. I tested this with IPA v3
On Thu, 15 Jun 2017, Rob Crittenden wrote:
Rob Foehl wrote:
Can I at least get a yes or no on whether external CA certificate
renewal has ever been tested when that certificate is nearing expiration?
Yes. I tested this with IPA v3.0. Did it break in between? Possible.
As I pointed out certmo
On Fri, 9 Jun 2017, I wrote:
In short, that didn't go particularly well at all, which in some ways brings
me back to the original as-yet-unanswered deployment question:
Is trying to do this with an external CA worth the pain?
Three attempts at this question, and zero answers...
Can I at lea
On Fri, 26 May 2017, Rob Crittenden wrote:
Rob Foehl via FreeIPA-users wrote:
On Fri, 26 May 2017, Fraser Tweedale wrote:
What is the validity of the leaf certificates? Is the notAfter time
of the leaf certificate pegged to the notAfter time of the CA
certificate? If so, this is (IMO) a
On Fri, 26 May 2017, Fraser Tweedale wrote:
What is the validity of the leaf certificates? Is the notAfter time
of the leaf certificate pegged to the notAfter time of the CA
certificate? If so, this is (IMO) a bug.
The leaf certs' expiration is pegged to that of the CA cert that was used
to
On Thu, 25 May 2017, Fraser Tweedale wrote:
This is not correct. The CA cert must be valid for the leaf cert to
be valid, but the CA cert *can* be renewed without requiring leaf
certificates to be reissued. So long as the following conditions
are met, everything will be fine:
1. The CA's key
I've got a test instance of FreeIPA 4.4.4 running on F25 that was
installed with --external-ca, and the resulting CSR signed with a validity
period of 30 days to test behavior around expirations.
Upon booting that instance today, certmonger decided to preemptively renew
every IPA cert -- which
21 matches
Mail list logo