Hi Florence,
Thanks for all the help so far.
In the scenario where we need to change the current ca certificate with the one signed by
an external CA:
As per your suggestion we are running "ipa-cacert-manage install" command to
provide all the CA certs in chain, one at a time, starting from the rootCA as pasted
below:
[root@ldmserver01 certs]# ipa-cacert-manage install root.pem
Installing CA certificate, please wait
Not a valid CA certificate: missing subject key identifier extension (visit
http://www.freeipa.org/page/Troubleshooting for troubleshooting
guide)
The ipa-cacert-manage command failed.
[root@ldmserver01 certs]#
The command complains about missing subject key identifier extension in the external ca
root certificate.
Please advice, how can we make it work. We can't expect our CA team to fix this for us
as this external CA server and its ca-chain is being used by so many other services
already.
Thanks,
Saurabh Garg