[Freeipa-users] Updating the CA certificate
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Mon Nov 5 19:50:06 UTC 2012
On 11/05/12 10:42, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 11/05/12 10:25, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> I hope I haven't missed it in searching around, but how does one update
>>>> the CA certificate in IPA?
>>>>
>>>> Though it is a year out from expiring I would rather know sooner than
>>>> later when it comes to this.
>>>
>>> Kudos for planning ahead!
>>>
>>> What kind of CA do you have installed. Are you using a dogtag backend CA
>>> or did you install with the selfsign method?
>>>
>>> rob
>>>
>>
>> Using dogtag CA and it is replicated, though, and I am not sure if this
>> makes an difference, it is a subordinate CA that has been issued by an
>> AD PKI setup.
>
> You'll need to start with your AD PKI. I'm assuming it is expiring as
> well since the IPA CA validity period is limited by its issuer. Are you
> going to rekey the AD CA or renew the current CA cert?
>
> rob
>
Subordinate CAs from the AD by default are only valid for two years,
whereas by default the CA for the AD is valid for 10 years. So only the
subordinate cert is being reissued.
The key won't be changing on the IPA end, just the cert. Normally this
would just be an import new cert type thing, but I am unsure in the IPA
environment.
Make sense?
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121105/42d6e20c/attachment.sig>
More information about the Freeipa-users
mailing list