Hello,
Using freeipa 4.5.
I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA.
I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported.
I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias'
When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA.
I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA.
How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards?
Thanks, Steve
On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:
Hello,
Using freeipa 4.5.
I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA.
I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported.
I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias'
When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA.
Hi,
you changed the external root CA when renewing IPA CA, meaning that IPA CA has a new cert chain containing the ext root CA, but IPA CA keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM".
The command resubmit asks IPA CA to renew the Server-Cert. So it is expected that you see the same "old ipa intermediate CA" as issuer of your Server-Cert for HTTPd.
I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA.
This is a bug tracked in issue 7316: The Issuer DN field in IPA is not updating properly [1]. The webui and the command ipa ca-show ipa read the issuer name from an LDAP entry that is not updated. But if you look at the content of the certificate, you will be able to check that the issuer is indeed the new external root CA.
How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards?
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
HTH, Flo
Hi Flo,
On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud flo@redhat.com wrote:
On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:
Hello,
Using freeipa 4.5.
I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA.
I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported.
I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias'
When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA.
Hi,
you changed the external root CA when renewing IPA CA, meaning that IPA CA has a new cert chain containing the ext root CA, but IPA CA keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM".
The command resubmit asks IPA CA to renew the Server-Cert. So it is expected that you see the same "old ipa intermediate CA" as issuer of your Server-Cert for HTTPd.
To double check I ran through the process of requesting an http cert on a new server, and indeed the Issuer CN is the same "CN=Certificate Authority,O=DOMAIN.COM" (which makes sense from your answer). But when I look at the http cert I just requested, the IPA CA cert 'Issued CN' field is the old external CA.
To get my client cert I followed the process here: https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmon.... One of the first steps is to pull the ipa ca's into the nssdb. I have 4 certs in that file now which builds the chain for old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact on the cert request process but it does show that both chains are in ipa.
I also see in the web ui under Authentication -> Certificates ->
Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA.
This is a bug tracked in issue 7316: The Issuer DN field in IPA is not updating properly [1]. The webui and the command ipa ca-show ipa read the issuer name from an LDAP entry that is not updated. But if you look at the content of the certificate, you will be able to check that the issuer is indeed the new external root CA.
How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards?
Thanks, Steve
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
HTH, Flo
On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote:
Hi Flo,
On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote: Hello, Using freeipa 4.5. I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA. I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported. I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias' When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA. Hi, you changed the external root CA when renewing IPA CA, meaning that IPA CA has a new cert chain containing the ext root CA, but IPA CA keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM>". The command resubmit asks IPA CA to renew the Server-Cert. So it is expected that you see the same "old ipa intermediate CA" as issuer of your Server-Cert for HTTPd.To double check I ran through the process of requesting an http cert on a new server, and indeed the Issuer CN is the same "CN=Certificate Authority,O=DOMAIN.COM http://DOMAIN.COM" (which makes sense from your answer). But when I look at the http cert I just requested, the IPA CA cert 'Issued CN' field is the old external CA.
Hi,
which command are you running to check the IPA CA cert issuer?
Flo
To get my client cert I followed the process here: https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmon.... One of the first steps is to pull the ipa ca's into the nssdb. I have 4 certs in that file now which builds the chain for old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact on the cert request process but it does show that both chains are in ipa.
I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA. This is a bug tracked in issue 7316: The Issuer DN field in IPA is not updating properly [1]. The webui and the command ipa ca-show ipa read the issuer name from an LDAP entry that is not updated. But if you look at the content of the certificate, you will be able to check that the issuer is indeed the new external root CA. How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards? Thanks, Steve _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> HTH, Flo [1] https://pagure.io/freeipa/issue/7316 <https://pagure.io/freeipa/issue/7316>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud flo@redhat.com wrote:
On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote:
Hi Flo,
On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote: Hello, Using freeipa 4.5. I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipaintermediate-CA.
I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported. I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias' When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA. Hi, you changed the external root CA when renewing IPA CA, meaning that IPA CA has a new cert chain containing the ext root CA, but IPA CA keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM>". The command resubmit asks IPA CA to renew the Server-Cert. So it is expected that you see the same "old ipa intermediate CA" as issuer of your Server-Cert for HTTPd.To double check I ran through the process of requesting an http cert on a new server, and indeed the Issuer CN is the same "CN=Certificate Authority,O=DOMAIN.COM http://DOMAIN.COM" (which makes sense from your answer). But when I look at the http cert I just requested, the IPA CA cert 'Issued CN' field is the old external CA.
Hi,
which command are you running to check the IPA CA cert issuer?
I hadn't trusted the new external root CA on my client browser so I expected a trust exception which I didn't encounter, so I just looked at the cert in the browser and noticed the ipa CA issuer CN was the old external ca.
Flo
To get my client cert I followed the process here:
https://www.freeipa.org/page/PKI#Automated_certificate_reque sts_with_Certmonger. One of the first steps is to pull the ipa ca's into the nssdb. I have 4 certs in that file now which builds the chain for old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact on the cert request process but it does show that both chains are in ipa.
I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA. This is a bug tracked in issue 7316: The Issuer DN field in IPA is not updating properly [1]. The webui and the command ipa ca-show ipa read the issuer name from an LDAP entry that is not updated. But if you look at the content of the certificate, you will be able to check that the issuer is indeed the new external root CA. How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards? Thanks, Steve _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> HTH, Flo [1] https://pagure.io/freeipa/issue/7316 <https://pagure.io/freeipa/issue/7316>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
Hi Flo,
Is there anything I can do to help troubleshoot this issue? Or is there a bugzilla issue I can watch?
Thanks, Steve
On Wed, Dec 20, 2017 at 8:32 PM, Steve Dainard sdainard@spd1.com wrote:
On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud flo@redhat.com wrote:
On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote:
Hi Flo,
On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote: Hello, Using freeipa 4.5. I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipaintermediate-CA.
I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported. I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias' When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA. Hi, you changed the external root CA when renewing IPA CA, meaning that IPA CA has a new cert chain containing the ext root CA, but IPA CA keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM>". The command resubmit asks IPA CA to renew the Server-Cert. So it is expected that you see the same "old ipa intermediate CA" as issuer of your Server-Cert for HTTPd.To double check I ran through the process of requesting an http cert on a new server, and indeed the Issuer CN is the same "CN=Certificate Authority,O=DOMAIN.COM http://DOMAIN.COM" (which makes sense from your answer). But when I look at the http cert I just requested, the IPA CA cert 'Issued CN' field is the old external CA.
Hi,
which command are you running to check the IPA CA cert issuer?
I hadn't trusted the new external root CA on my client browser so I expected a trust exception which I didn't encounter, so I just looked at the cert in the browser and noticed the ipa CA issuer CN was the old external ca.
Flo
To get my client cert I followed the process here:
https://www.freeipa.org/page/PKI#Automated_certificate_reque sts_with_Certmonger. One of the first steps is to pull the ipa ca's into the nssdb. I have 4 certs in that file now which builds the chain for old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact on the cert request process but it does show that both chains are in ipa.
I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA. This is a bug tracked in issue 7316: The Issuer DN field in IPA is not updating properly [1]. The webui and the command ipa ca-show ipa read the issuer name from an LDAP entry that is not updated. But if you look at the content of the certificate, you will be able to check that the issuer is indeed the new external root CA. How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards? Thanks, Steve _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> HTH, Flo [1] https://pagure.io/freeipa/issue/7316 <https://pagure.io/freeipa/issue/7316>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
On 01/10/2018 07:47 PM, Steve Dainard via FreeIPA-users wrote:
Hi Flo,
Is there anything I can do to help troubleshoot this issue? Or is there a bugzilla issue I can watch?
Thanks, Steve
Hi Steve,
I was not able to reproduce the behavior you are experiencing. With IPA 4.5.0-22 on rhel 7.4: - install IPA master with an external CA rootCA1 - access ipa webUI from firefox on a machine outside of IPA domain, I need to add an exception for the httpd cert - renew IPA CA using a different external CA rootCA2 (ipa-cacert-manage renew --external-ca / obtain cert / ipa-cacert-manage renew --external-cert-file / ipa-certupdate) - renew httpd cert using getcert resubmit -i <id for httpd server cert> - access ipa webUI from the same firefox browser, forcing a page reload, I need to add a new exception for the new httpd cert. If I look at the certificate hierarchy in firefox I can see the issuer for IPA CA is the rootCA2.
Did you follow the same steps? Flo
On Wed, Dec 20, 2017 at 8:32 PM, Steve Dainard <sdainard@spd1.com mailto:sdainard@spd1.com> wrote:
On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com>> wrote: On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote: Hi Flo, On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote: Hello, Using freeipa 4.5. I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA. I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported. I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias' When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA. Hi, you changed the external root CA when renewing IPA CA, meaning that IPA CA has a new cert chain containing the ext root CA, but IPA CA keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM>". The command resubmit asks IPA CA to renew the Server-Cert. So it is expected that you see the same "old ipa intermediate CA" as issuer of your Server-Cert for HTTPd. To double check I ran through the process of requesting an http cert on a new server, and indeed the Issuer CN is the same "CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM>" (which makes sense from your answer). But when I look at the http cert I just requested, the IPA CA cert 'Issued CN' field is the old external CA. Hi, which command are you running to check the IPA CA cert issuer? I hadn't trusted the new external root CA on my client browser so I expected a trust exception which I didn't encounter, so I just looked at the cert in the browser and noticed the ipa CA issuer CN was the old external ca. Flo To get my client cert I followed the process here: https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger <https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger>. One of the first steps is to pull the ipa ca's into the nssdb. I have 4 certs in that file now which builds the chain for old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact on the cert request process but it does show that both chains are in ipa. I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA. This is a bug tracked in issue 7316: The Issuer DN field in IPA is not updating properly [1]. The webui and the command ipa ca-show ipa read the issuer name from an LDAP entry that is not updated. But if you look at the content of the certificate, you will be able to check that the issuer is indeed the new external root CA. How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards? Thanks, Steve _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> HTH, Flo [1] https://pagure.io/freeipa/issue/7316 <https://pagure.io/freeipa/issue/7316> <https://pagure.io/freeipa/issue/7316 <https://pagure.io/freeipa/issue/7316>> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Steve Dainard via FreeIPA-users wrote:
Hi Flo,
Is there anything I can do to help troubleshoot this issue? Or is there a bugzilla issue I can watch?
Flo wasn't able to reproduce this so there is no bug unless you file one.
I'd look at the CA to see what the signer is:
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias/
There may be 2 caSigningCert entries, one for each of the external CAs
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias/ -n 'caSigningCert cert-pki-ca'
This should show both of them, it can just be confusing since they will be one right after the other though it won't be clear which one that NSS is picking for signing. It will confirm (or not) that the CA cert has been updated at all.
rob
Thanks, Steve
On Wed, Dec 20, 2017 at 8:32 PM, Steve Dainard <sdainard@spd1.com mailto:sdainard@spd1.com> wrote:
On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com>> wrote: On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote: Hi Flo, On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <flo@redhat.com <mailto:flo@redhat.com> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote: Hello, Using freeipa 4.5. I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA. I've used ipa-cacert-manage to generate a new csr and have signed it with my new external CA. The cert was successfully imported. I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias' When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on an ipa server the certificate is resubmitted, but its still being signed by the old ipa intermediate-CA. Hi, you changed the external root CA when renewing IPA CA, meaning that IPA CA has a new cert chain containing the ext root CA, but IPA CA keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM>". The command resubmit asks IPA CA to renew the Server-Cert. So it is expected that you see the same "old ipa intermediate CA" as issuer of your Server-Cert for HTTPd. To double check I ran through the process of requesting an http cert on a new server, and indeed the Issuer CN is the same "CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM> <http://DOMAIN.COM>" (which makes sense from your answer). But when I look at the http cert I just requested, the IPA CA cert 'Issued CN' field is the old external CA. Hi, which command are you running to check the IPA CA cert issuer? I hadn't trusted the new external root CA on my client browser so I expected a trust exception which I didn't encounter, so I just looked at the cert in the browser and noticed the ipa CA issuer CN was the old external ca. Flo To get my client cert I followed the process here: https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger <https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger>. One of the first steps is to pull the ipa ca's into the nssdb. I have 4 certs in that file now which builds the chain for old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact on the cert request process but it does show that both chains are in ipa. I also see in the web ui under Authentication -> Certificates -> Certificate Authorities that only one ca named 'ipa' exists, and I can see the Issuer DN is still the old root CA. This is a bug tracked in issue 7316: The Issuer DN field in IPA is not updating properly [1]. The webui and the command ipa ca-show ipa read the issuer name from an LDAP entry that is not updated. But if you look at the content of the certificate, you will be able to check that the issuer is indeed the new external root CA. How can I invalidate the old intermediate-CA so the new intermediate-CA is used to sign certs going forwards? Thanks, Steve _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> HTH, Flo [1] https://pagure.io/freeipa/issue/7316 <https://pagure.io/freeipa/issue/7316> <https://pagure.io/freeipa/issue/7316 <https://pagure.io/freeipa/issue/7316>> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
Rob Crittenden -
Steve Dainard