Noting that it's now possible to modify the CA certificate subject name at install time in 4.5 and 4.6, is there any provision for doing so after an upgrade to one of those releases with a cert that originated in a 4.4 instance? Possibly involving renewal of the (externally signed) CA cert, if necessary?
-Rob
Rob Foehl via FreeIPA-users wrote:
Noting that it's now possible to modify the CA certificate subject name at install time in 4.5 and 4.6, is there any provision for doing so after an upgrade to one of those releases with a cert that originated in a 4.4 instance? Possibly involving renewal of the (externally signed) CA cert, if necessary?
I'm not authoritative on this but I don't think so.
Using an external CA would probably the only way this would work but even then I have my doubts. Some other things would also need to change like the LDAP certificate profile(s), existing certs would probably need to be re-issued (I'm particularly fuzzy on this part b/c while the issuers wouldn't match the CA private key would) and maybe some other corner cases.
It would be an interesting exercise if you wanted to give it a go on some test system(s).
rob
freeipa-users@lists.fedorahosted.org