On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users wrote: > On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote: > > > The question remains: how do I get rid of the self-signed CA entirely? > > Best hint toward this I've managed to find thus far is in the comments on > https://pagure.io/freeipa/issue/7283 , with got me as far as the > cACertificate and ipaCertIssuerSerial entries corresponding to the > extraneous self-signed cert... If I remove those and the cert from the > NSSDBs, then what? Reissue all dependent certs in the IPA CA chain? > If the IPA CA's key and subject did not change, then there is no need to reissue end-entity or other subordinate certificates. Only the IPA CA certificate needs to be renewed (from self-signed to externally signed) and distributed.
Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
