[Freeipa-users] is ipa-cert-manage safe to use?
Rob Crittenden
rcritten at redhat.com
Mon May 15 14:44:41 UTC 2017
Harald Dunkel wrote:
> Hi folks,
>
> I have to renew (or replace) the externally signed certificate
> on my ipa servers using a new ca. Apparently the tool of choice
> is ipa-cacert-manage.
>
> Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal.
> Problem is, I cannot estimate the risk and if its worth the effort.
> What happens to freeipa if ipa-cacert-manage fails miserably? Does it
> affect the LDAP database or Kerberos? Will it break the connection
> between my ipa servers or between servers and clients?
>
> Would you suggest to forget all the "CA stuff" in freeipa and manage
> the certificates externally?
>
> The platform of the ipa servers is Centos 7.3. There are 100+
> Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2.
>
> I am highly concerned. Every helpful comment is appreciated.
I'm confused. You mention replacing some "externally signed certificate"
and yet then ask switching to externally signed certificates. What is
the current configuration? What is signing the existing server certs? Or
do you have an external CA signing the IPA CA?
ipa-cacert-manage is for managing the CA certificate, not service
certificates.
rob
More information about the Freeipa-users
mailing list