On 12/08/2017 08:01 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo and Andrew,
thanx for you replies, but I think you missed the point:
The new (external) root CA certificate and the new ipa
CA certificate are *in* freeipa already, but on the host
I had used for running ipa-cacert-manage to deploy this
new PKI the database in /var/lib/pki/pki-tomcat/ca/alias
appears to be in an inconsistent state. Manually fixing
this is not persistent.
If I create another CA replica, then this server looks
fine, except for the old root CA still in /etc/ipa/ca.crt .
I would like to get rid of the old PKI completely.
Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi Harald,
the external CAs and FreeIPA CA must be stored in the LDAP server
(cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add
external CAs to the LDAP server is to run ipa-cacert-manage install.
You need first to have a clean state in the LDAP server. When all the
required CAs are stored in LDAP with the right trust attribute, you can
use ipa-certupdate to retrieve them and place them in the NSS databases
and /etc/ipa/ca.crt.
If some certificates are manually added to the NSS databases but not
present in the LDAP server, the next call to ipa-certupdate will remove
them, this is why the state is not persistent.
If you want to completely remove an old root CA, you need to delete it
from the LDAP server otherwise it will return on next call to
ipa-certupdate.
Hope this clarifies,
Flo.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
