[Freeipa-users] Updating the CA certificate
Rob Crittenden
rcritten at redhat.com
Tue Nov 6 21:06:26 UTC 2012
Erinn Looney-Triggs wrote:
> On 11/05/12 10:42, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> On 11/05/12 10:25, Rob Crittenden wrote:
>>>> Erinn Looney-Triggs wrote:
>>>>> I hope I haven't missed it in searching around, but how does one update
>>>>> the CA certificate in IPA?
>>>>>
>>>>> Though it is a year out from expiring I would rather know sooner than
>>>>> later when it comes to this.
>>>>
>>>> Kudos for planning ahead!
>>>>
>>>> What kind of CA do you have installed. Are you using a dogtag backend CA
>>>> or did you install with the selfsign method?
>>>>
>>>> rob
>>>>
>>>
>>> Using dogtag CA and it is replicated, though, and I am not sure if this
>>> makes an difference, it is a subordinate CA that has been issued by an
>>> AD PKI setup.
>>
>> You'll need to start with your AD PKI. I'm assuming it is expiring as
>> well since the IPA CA validity period is limited by its issuer. Are you
>> going to rekey the AD CA or renew the current CA cert?
>>
>> rob
>>
>
> Subordinate CAs from the AD by default are only valid for two years,
> whereas by default the CA for the AD is valid for 10 years. So only the
> subordinate cert is being reissued.
>
> The key won't be changing on the IPA end, just the cert. Normally this
> would just be an import new cert type thing, but I am unsure in the IPA
> environment.
>
> Make sense?
> -Erinn
>
>
Renewing a CA signing certificate with the same key pair is a much simpler.
Here is a link on how to do so:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/managing-ca-related-profiles.html
look under
2.7.3. Allowing a CA Certificate to Be Renewed Past the CA's Validity Period
rob
More information about the Freeipa-users
mailing list