On Fri, 2023-04-14 at 17:54 +0000, Shawn Asmussen via FreeIPA-users wrote: > Our organization has a large number of existing certificates that we > want to make modifications to the options for. Specifically, we have > certificates used by a couple of different services, that we want to > add in a service restart when the certificate auto-renews, and we > also have a lot of certificates that were created before we knew > about the options like -O/-M/etc... where we manually set file > permissions on the certs after creation. I know how to do these > things on a a new cert request, using the various options, but I'd > like to update these options on certificates that are already being > tracked. The only way I've managed to do it so far is by using ipa- > getcert resubmit, with the options that I want changed. However, this > method results in the entire certificate being regenerated on the > spot. If we had a small number of certs that we wanted to update, > this wouldn't be a huge problem, but we have several different certs > on a few thousand production systems that we want to update > this way, and I'd prefer not to send 10,000 cert renewals up to the > master server, and that would also end up making all of those > thousands of certs auto renew at roughly the same time every year, > which we consider to be undesirable. I assume that manual edits of > the files in /var/lib/certmonger/requests is not the proper way to > handle this, but what IS the correct way to make such modifications > after the initial ipa-getcert request that created the certs > originally?
You can update the properties of an existing tracking request with 'getcert start-tracking'. Use -i to identify the request and then add any -M, -O, etc. options and the original request will be modified to add/change those options. -- Sam Morris <s...@robots.org.uk> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
