Converting self-signed root CA to intermediate CA
by Schrock, Chad - 0336 - MITLL
We have a small-ish RHEL 7 IdM (4.6.8) domain that is currently running with
a self-signed root CA. All is well and good, except we've been told that we
have to play nice with the rest of the organization now, which includes
changing the self-signed root CA in to an intermediate CA.
I remember a discussion on here about converting an IdM root CA in to an
intermediate CA, but for the life of me I can't find the discussion or any
related documentation. (Was I hallucinating?)
* Is what I'm talking about even possible?
* If it is possible, is there some documentation somewhere where I can
read up on the process and potential risks?
* If it isn't possible, short of creating a new domain and moving
all of the clients to it, what might work here?
 - I'm not against this, however, we have several replica IdM servers at
remote sites that are on the other end of low-bandwidth high-latency
satellite links. Having the various IdM servers talk amongst themselves for
regular domain updates hasn't been a problem. We've never been able to
create a new replica at our remote sites though.
Thank you all for your time,
Chad Schrock, he/him
Supporting MIT Lincoln Laboratory, Lexington, MA