You can not use ipa-getcert to request / issue certificates from an
external CA. Issuing certificates now needs to be managed by the external
CA's tools. You should also disable the old CA from starting up on IPA
server.
Jatin
On Thu, Jul 13, 2017 at 10:20 PM, Jeff Fouchard via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
The certificates are being issued via ipa-getcert. The certificates
we
get back are signed with what looks to be the old "self-signed" IPA CA
certificate. The CN is the same as the new one, but the serial / expiry
and issuer is different than what IPA is using for its own web-ui.
On Wed, Jul 12, 2017 at 8:23 PM, Jatin Nansi <jnansi(a)redhat.com> wrote:
> How are you issuing the certs for the clients? Are they signed by the
> same certificate chain that signed the IPA certificate? Did you install the
> CA certificate chain as trusted CA on the clients?
>
> On Thu, Jul 13, 2017 at 2:27 AM, Jeff Fouchard via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> We are in the process of switching to using an external CA. We have
>> successfully gone through he process and indeed the Web UI now shows the
>> expected certificate chain.
>>
>> However when we issue certificates to our clients downstream they are
>> using a signing certificate that was not issued by the new external CA.
>> I've tried to find in the documentation how that gets set, but seem to be
>> at a loss. Can anyone point me in the correct direction?
>>
>> Thanks!
>> Jeff
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>
rahosted.org
>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org