[Freeipa-users] section 2.3.6. Installing Without a CA - then how to update expired certificates in LDAP?

[Josh]

I discussed this problem once before and got partial answers but I would 
like to finally resolve it.

Scenario:

1. Install IPA without a CA, according to section 2.3.6 as of now in 
latest RHEL7 Linux Domain Identity, Authentication and Policy Guide.
2. Install a client and note certificates it receives from IPA LDAP.
3. Near expiration term obtain a new set of certificates (server and 
intermediate), note that intermediate certificate common name has changed.
4. run "ipa-server-certinstall -d -w key cert" to update all 
certificates. command asks for directory manager password, I suppose it 
should update its contents but
5. Install another client and observe that it receives original 
certificates and no ipa command works.
6. ipa-certupdate, when run, pulls original set from LDAP as if nothing 
was updated.

Workaround is to manually install new intermediate certificate on all 
systems /etc/ipa/nssdb by
certutil -d /etc/ipa/nssdb/ -A -n "StartCom Class 1 DV Server CA - 
StartCom Ltd." -t C,, -i /tmp/1_Intermediate.crt

In LDAP under cn=certificates,cn=ipa,cn=etc,dc=example,dc=org I still 
see previous version of intermediate certificate with a different common 
name:
StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital 
Certificate Signing,O=StartCom Ltd.,C=IL

Please help me replace it by any means.

Best Regards,
Josh.