Hi
In our current ipa implementation some of the ipa internal certificates are not able to be renewed correctly.
After a lot of support both from Redhat and also through this list, neither of which was able to fix the issue, I was advised by Redhat to implement a new instance of ipa and migrate to it.
I now have the new ipa instance running on RHEL7 servers, but before migrating clients and users to it would like to test that the ipa certificate renewal will work correctly. However, I don't want to break the new instance!
I've read chapters 24 and 26 of the Linux Domain Identity, Authentication and Policy guide and I'm not sure either are relevant to renewing eg 'ocspSigningCert cert-pki-ca', which was one of the ones I was having problems with before.
In trying to fix the current ipa implementation we have been using eg 'getcert resubmit -i <id>' where <id> is the id of the 'ocspSigningCert cert-pki-ca' certificate as shown by 'getcert list'.
Is 'getcert resubmit -i <id>' a sensible way to test renewing a certificate manually in a working ipa instance?
Do I need to do anything else to propagate the new certificate to the replica?
Do I need to explicitly revoke the old certificate, if so how?
Thanks.
Roderick Johnstone