On Fri, Feb 07, 2025 at 08:44:52AM +0000, N. V. via FreeIPA-users wrote: > Hi again, > > So, if re-keying is not supported, what is the process that is recommended > for the cases where for instance the root keys are compromised? Is this > limitation also valid in the case when the root CA is external? > > Thanks, > Nelson V. > Hi Nelson,
Very unsupported and the instructions may be a little stale now (post is from 2019, Fedora 30), but this article walks through how to completely remove the CA from a FreeIPA deployment. From there, you can create a new CA via `ipa-ca-install`. https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html Hope it helps, Fraser > On Thu, 6 Feb 2025 at 12:41, Florence Blanc-Renaud <f...@redhat.com> wrote: > > > Hi, > > > > On Thu, Feb 6, 2025 at 12:18 PM N. V. via FreeIPA-users < > > freeipa-users@lists.fedorahosted.org> wrote: > > > >> Hi, > >> > >> In our FreeIPA deployment we need to find a way to rekey the self-signed > >> root CA and afterwards update the chain and the certificates all the way > >> down. I have been unable to find detailed instructions in the official > >> documentation or through my own research, so I am reaching out for > >> guidance. > >> > >> Could someone please provide instructions or point me to any relevant > >> resources on how to properly rekey the self-signed root CA in FreeIPA? Any > >> advice, tips, or potential pitfalls to avoid during this process would be > >> greatly appreciated. > >> > > > > Unfortunately we don't have any solution yet for this type of request. > > Please read more in *Bug 1873696* > > <https://bugzilla.redhat.com/show_bug.cgi?id=1873696> - [RFE] Need an > > option to replace the root CA key with another key with 3072 bits > > > > It would require to cross-sign the old CA with the new one but we never > > managed to find time to investigate this possibility. > > flo > > > >> Thank you in advance for your assistance! > >> > >> Nelson V. > >> -- > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to > >> freeipa-users-le...@lists.fedorahosted.org > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> Do not reply to spam, report it: > >> https://pagure.io/fedora-infrastructure/new_issue > >> > > > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue