<div dir="ltr"><div><div><div>I once asked about Install IPA servers with certificate provided by third-party like Verisign(<a href="https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html" target="_blank">https://www.redhat.<wbr>com/archives/freeipa-users/<wbr>2016-September/msg00440.html</a>). Florence, Rob and Jakub from Redhat had been very helpful, and pointed out the solution at <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca" target="_blank">https://access.redhat.com/<wbr>documentation/en-US/Red_Hat_<wbr>Enterprise_Linux/7/html/Linux_<wbr>Domain_Identity_<wbr>Authentication_and_Policy_<wbr>Guide/install-server.html#<wbr>install-server-without-ca</a>, about "Installing Without a CA", and it worked great!<br><br></div>Now it came up another problem, is that the Verisign(or any other certificate) will expire in a year or two, how can I smoothly renew the Verisign certificate on the primary and replica IPA servers a year from now? Or if we decide to use another provider, say Godaddy certificate, how can I replace the existing certificate on both IPA servers? I found a relevant instruction at <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal" target="_blank">https://access.redhat.com/<wbr>documentation/en-US/Red_Hat_<wbr>Enterprise_Linux/7/html-<wbr>single/Linux_Domain_Identity_<wbr>Authentication_and_Policy_<wbr>Guide/index.html#auto-cert-<wbr>renewal</a>, but that's about the "Dogtag" CA certificate, not about the third-party certificate I am using in our upcoming production environment(running IPA 4.2 on RHEL7). <br><br></div>Please advise. Thank you!<br></div>Beeth<br></div>