PS: I have derived another CA replica "ipa0" from ipa2. certutil shows different trustargs again. Shouldn't ipa2 and the new ipa0 have identical trustargs?
[root@ipa0 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ipa2 has: [root@ipa2 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu subsystemCert cert-pki-ca u,u,u CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C caSigningCert cert-pki-ca CTu,Cu,Cu CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE C,, ocspSigningCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u Regards Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org