Hi,
Yes, this looks correct. Make sure that 17 is the serial of your new
certificate (it may differ from my example), and don't forget to replace
O=XXX with the correct domain for your deployment.
Thanks, yes 17 was indeed the new serial and XXX was replaced.
The update was first tested with the -n and verbose option -v, then run.
Appeared to be okay, rebooted, and everything appears to have restarted.
When the PKI instance on your system is able to start, please closely
monitor its renewal or keep the mailing list in the loop if it does not
renew automatically.
It has already been renewed on restart
expires: 2020-09-04 17:46:56 BST
One final question. We have three FreeIPA servers and correctly receive a
warning via the web interface when visiting IPA Servers / Topology page
that:
"Only One CA server detected"
which is how the system was initially deployed a couple of years' ago,
probably not intentionally.
I am looking for a guide on the correct way to add CA servers on the other
two FreeIPA servers. Any ideas?
Thanks
Best wishes
Stuart