On Fri, Feb 07, 2025 at 08:44:52AM +0000, N. V. via FreeIPA-users wrote:
> Hi again,
> 
> So, if re-keying is not supported, what is the process that is recommended
> for the cases where for instance the root keys are compromised? Is this
> limitation also valid in the case when the root CA is external?
> 
> Thanks,
> Nelson V.
> 
Hi Nelson,

Very unsupported and the instructions may be a little stale now
(post is from 2019, Fedora 30), but this article walks through how
to completely remove the CA from a FreeIPA deployment.  From there,
you can create a new CA via `ipa-ca-install`.

https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html

Hope it helps,
Fraser

> On Thu, 6 Feb 2025 at 12:41, Florence Blanc-Renaud <f...@redhat.com> wrote:
> 
> > Hi,
> >
> > On Thu, Feb 6, 2025 at 12:18 PM N. V. via FreeIPA-users <
> > freeipa-users@lists.fedorahosted.org> wrote:
> >
> >> Hi,
> >>
> >> In our FreeIPA deployment we need to find a way to rekey the self-signed
> >> root CA and afterwards update the chain and the certificates all the way
> >> down. I have been unable to find detailed instructions in the official
> >> documentation or through my own research, so I am reaching out for 
> >> guidance.
> >>
> >> Could someone please provide instructions or point me to any relevant
> >> resources on how to properly rekey the self-signed root CA in FreeIPA? Any
> >> advice, tips, or potential pitfalls to avoid during this process would be
> >> greatly appreciated.
> >>
> >
> > Unfortunately we don't have any solution yet for this type of request.
> > Please read more in *Bug 1873696*
> > <https://bugzilla.redhat.com/show_bug.cgi?id=1873696> - [RFE] Need an
> > option to replace the root CA key with another key with 3072 bits
> >
> > It would require to cross-sign the old CA with the new one but we never
> > managed to find time to investigate this possibility.
> > flo
> >
> >> Thank you in advance for your assistance!
> >>
> >> Nelson V.
> >> --
> >> _______________________________________________
> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> To unsubscribe send an email to
> >> freeipa-users-le...@lists.fedorahosted.org
> >> Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >> Do not reply to spam, report it:
> >> https://pagure.io/fedora-infrastructure/new_issue
> >>
> >

> -- 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to