Hi Flo, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud <f...@redhat.com> wrote:
> Hi, > > You can follow the steps described here: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext > > ipa-cacert-manage renew --external-ca will create a CSR file that can be > sent to the new certificate authority. You will then receive a new cert > for IPA + a new CA chain that will be used in ipa-cacert-manage renew > --external-cert-file. > > HTH, > Flo This appears to be a very precise documentation, but if you look closely then you get # ssh root@ipaclient1 # ipa-certupdate trying https://ipa2.example.com/ipa/json Forwarding 'schema' to json server 'https://ipa2.example.com/ipa/json' trying https://ipa2.example.com/ipa/json Forwarding 'ca_is_enabled' to json server 'https://ipa2.example.com/ipa/json' Forwarding 'ca_find/1' to json server 'https://ipa2.example.com/ipa/json' Systemwide CA database updated. The ipa-certupdate command was successful # certutil -L -d /etc/pki/pki-tomcat/alias/ certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. This is *before* I installed the new certificate. I get this with freeipa 4.4.0 on CentOS 7.3 and 4.4.4 on Debian. Doesn't look very reliable, does it? Thats my concern. Not to mention that /etc/pki/pki-tomcat/alias doesn't even exist, so I wonder what did ipa-certupdate do? ??? Every helpful comment is highly appreciated. Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org