I'm currently trying to evaluate if we may use IPA server to help manage our park of Linux Clients When installing the IPA server I used the following commands; sudo ipa-server-install --external-ca --external-ca-type=ms-cs sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer --external-cert-file=/home/$USER/certnew.cer
Now when the CA certificate in Windows expired, I used Certificate Authority Manager to renew the CA certificate. I'm now struggling trying to figure out how to renew the IPA certificate. This is what I've tried; sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew On the Windows server I'm forced to use the certreq command in CLI as the GUI Manager only complains of the CSR being the wrong type. And I'm only having success in using the WebServer template. No other templates works. And I'm assuming the SubordinateCertificationAuthority template is the that should be used?; certreq -submit -attrib CertificateTemplate:WebServer Back on the IPA server, I try installing the signed certificate; sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer But this only complains on the cert missing som basic constraints. Comparing the CSR generated during the install of the IPA server and the CSR generated with the ipa-cacert-manage renew command, I see that they differ in that the renew CSR is missing the .S.u.b.C.A Does anyone have any insights into what's missing in the procedure? Thankful for any help that can help me progress on this. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
