Hi
In our current ipa implementation some of the ipa internal certificates
are not able to be renewed correctly.
After a lot of support both from Redhat and also through this list,
neither of which was able to fix the issue, I was advised by Redhat to
implement a new instance of ipa and migrate to it.
I now have the new ipa instance running on RHEL7 servers, but before
migrating clients and users to it would like to test that the ipa
certificate renewal will work correctly. However, I don't want to break
the new instance!
I've read chapters 24 and 26 of the Linux Domain Identity,
Authentication and Policy guide and I'm not sure either are relevant to
renewing eg 'ocspSigningCert cert-pki-ca', which was one of the ones I
was having problems with before.
In trying to fix the current ipa implementation we have been using eg
'getcert resubmit -i <id>' where <id> is the id of the
'ocspSigningCert
cert-pki-ca' certificate as shown by 'getcert list'.
Is 'getcert resubmit -i <id>' a sensible way to test renewing a
certificate manually in a working ipa instance?
Do I need to do anything else to propagate the new certificate to the
replica?
Do I need to explicitly revoke the old certificate, if so how?
Thanks.
Roderick Johnstone
Show replies by date