Harald Dunkel wrote: > Hi folks, > > I have to renew (or replace) the externally signed certificate > on my ipa servers using a new ca. Apparently the tool of choice > is ipa-cacert-manage. > > Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal. > Problem is, I cannot estimate the risk and if its worth the effort. > What happens to freeipa if ipa-cacert-manage fails miserably? Does it > affect the LDAP database or Kerberos? Will it break the connection > between my ipa servers or between servers and clients? > > Would you suggest to forget all the "CA stuff" in freeipa and manage > the certificates externally? > > The platform of the ipa servers is Centos 7.3. There are 100+ > Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2. > > I am highly concerned. Every helpful comment is appreciated.
I'm confused. You mention replacing some "externally signed certificate" and yet then ask switching to externally signed certificates. What is the current configuration? What is signing the existing server certs? Or do you have an external CA signing the IPA CA? ipa-cacert-manage is for managing the CA certificate, not service certificates. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project